Password Minimum Requirements

This section sets out the minimum requirements for the delivery of online services within the Low Risk Category, focusing in particular on the attacks discussed in 5.1. Requirements from the Authentication Key Strengths Standardfor services in the Low Risk Category MUST also be followed.

Agencies MUST undertake a risk assessment for those risks associated with the delivery of their services through an interactive online channel. Agencies SHOULD follow the Australian and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication systems. Further advice on the application of AS/NZS 4360:2004 is set out in SAA/SNZ HB 436:2004 and SAA/SNZ HB 231:2004.

6.1 Association of passwords

An agency MUST associate a password with a customer, only when the customer has satisfied the evidence of identity requirements designated for services in the Low Risk Category in the Evidence of Identity Standard.

6.2 Using higher-level authentication keys

Agencies SHOULD give customers who have been associated with an authentication key for services in a higher risk category the choice to use this higher-level authentication key for services in a lower risk category on a casual or permanent basis. This can only happen if the agency’s authentication system supports the use of a higher-level authentication key.

6.3 Customer advice and responsibilities

Agencies MUST provide advice on how customers can fulfil their security responsibilities in terms of constructing acceptable passwords and methods for managing passwords. Advice MUST cover construction requirements, methods for constructing strong passwords, password management practices and computing environment protection. These details SHOULD at least cover the topics in Appendix A. For further requirements concerning agency provision of advice for customers, refer to SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006, AS/NZS ISO/IEC 27001:2006 and SAA/SNZ HB 231:2004.

6.4 Password construction


Agencies MUST use passwords generated by the customer, except in the case of initial or reset passwords, which are generated as described in 6.5.3.


Passwords MUST be a minimum of seven (7) characters. Passwords SHOULD contain characters from at least three (3) of the following sets:

  1. Lowercase characters (a-z).
  2. Uppercase characters (A-Z).
  3. Digits (0-9).
  4. Punctuation and special characters (for example,!@#$%^&*).

These requirements MUST be enforced by the system.


The password system MUST enforce the requirements of 6.4.2 for passwords generated by the customer at the initial setting. (Requirements for system-generated passwords are described under 6.5.3).


Agency password systems MUST accept as distinct all the characters of 6.4.2 (1 to 4). (For example, the password system shall be able to distinguish between upper case and lower case alphabet characters when they are used in customer passwords.)

6.5 Password management


Agencies MUST:

  1. Protect passwords in storage and during the online authentication exchange. (Requirements for the authentication exchange protection of passwords are detailed in the Authentication Key Strengths Standard.)
  2. Require passwords to be changed at least every 12 months.
  3. Retain a history of at least the last six (6) passwords used by a customer.
  4. Ensure that the customer does not use a password from their password history.
  5. Require the customer to change an initial logon or a reset password immediately following authentication with that password.


Agencies SHOULD:

  1. Require passwords to be changed at least every 90 days.
  2. Retain a password history of at least the last six (6) passwords used by a customer.
  3. Ensure that the customer does not use a password form their password history.


Agencies SHOULD disallow customer-generated passwords at creation that are predictable or guessable choices. For example, obvious combinations or variations involving the username, dates, ‘password’ or ‘logon’ SHOULD be excluded. NOTE – Commonly used and easily guessed passwords, like ‘password’, ‘Passw0rd’, ‘L0g0n01’, ‘Sign0n1’, etc. should be excluded by checking passwords against a password dictionary containing the passwords to be rejected.


Agencies MUST use pseudo-random, system-generated passwords for initial or reset passwords. Such passwords MUST comply with 6.4.2.


Agencies MUST allow customers to change their password and make this service available from the logon page.


Agencies MUST ensure that the full password is not visible on the screen when entered.


Agencies MUST require customers to enter a new password at least twice.


An agency MUST expire a customer’s password, so that it can no longer be used, when the customer chooses to use their higher-level authentication key to access all of the agency’s services in the Low Risk Category on a permanent basis. The authentication key requirements are prescribed in the Authentication Key Strengths Standard(refer to Table 1 of that Standard).


Agencies SHOULD allow customers to suspend their account.

6.6 Session logout

Agencies MUST configure their online services to log out a customer following 15 minutes of inactivity. NOTE – Filling out forms etc. may not be detected as activity, so agency services need to be appropriately designed.

6.7 Access management


Agencies MUST:

  1. Lockout the customer username after no more than five (5) consecutive unsuccessful password attempts against the customer username.
  2. Provide access to a password reset page from the logon page (this may be used by customers who know they have forgotten their password).
  3. Perform a risk assessment to ensure the strength of the enrolment and password reset processes are consistent with the strength of the password requirements given in this Standard (advice is given in Appendix B).

NOTE – To defend against denial of service attacks, agencies may consider using time delays following a series of unsuccessful password attempts.


Agencies SHOULD:

  1. Disable inactive accounts following a period of no more than 24 months.
  2. Inform customers prior to disabling their accounts, so that there is time for responses to be considered.
Page last updated: 26/09/2016