Below you will find some commonly asked questions and answers about the security requirements for the Registration System. Click on a tab below to view questions and answers relating to specific security requirements. Click on the tab again to minimise the tab and select another one to view.
A passphrase is a series of words and characters that is used by an individual to access a system. It is similar to a password, but is much longer and as a result, much more secure and more difficult for cyber criminals to hack.
An example of a passphrase might be “An apple a day keeps the doctor away”. This passphrase contains 36 characters, including the spaces between each word.
The passphrase policy lists the requirements for users in creating a passphrase in the Registration System. It outlines what is and isn't acceptable, and provides a timeframe for when passphrases need to be updated.
The current policy is outlined below:
Table 1: Passphrase policy
A passphrase in the Registration System must:
You will be required to change your passphrase every 90 days.
Web applications such as the Registration System are vulnerable to malicious attacks from cyber criminals, who use increasingly sophisticated software and technology to compromise these applications. Repeated cyber-attacks and data breaches mean that passwords are no longer sufficient to protect user accounts against unauthorised access.
Passphrases are more secure and harder to hack than passwords. They are easier for the user to remember, and longer in length, which significantly increases the difficulty for cyber criminals in trying to hack them.
Take the example above - “An apple a day keeps the doctor away”. It would take a computer roughly 3 quindecillion years to crack this passphrase, as opposed to a password such as “1234ABC”, which would take a computer 1 second to crack (https://www.security.org/how-secure-is-my-password/).
The longer and more complex your passphrase is, the more difficult it will be for someone to crack it.
If you have not logged on in some time, you may be prompted to change your existing password to a passphrase that meets the passphrase policy requirements (see Table 1 above). After successfully changing your passphrase, you will then be able to log in and continue using the system as normal.
Your passphrase will expire every 90 days and you will need to reset it. You will receive email warnings letting you know when you need to reset your passphrase. See Question 1I below for more information.
You may also need to reset your passphrase if you do not log in to your account in over 30 days and the system deactivates your account as a security measure. For more information on this, click here.
You can create a good passphrase by choosing one that consists of a phrase or series of words that you can remember, but which is long and complex enough to satisfy the passphrase requirements.
The longer and more complex your passphrase is, the more difficult it will be for someone to crack it.
Examples of good and bad passphrases are listed in the tables below.
There are also resources on the internet that can assist you with creating a good passphrase.
Example | Why is it a good passphrase? |
---|---|
An apple a day keeps the doctor away84@ |
|
Rally upon shoptalk vending56% |
|
Example | Why is it a bad passphrase? |
---|---|
whatgoesupmustcomedown |
|
Password123 |
|
Energy Rating Product Registration System24! |
|
No. The implementation of passphrases means that passwords will no longer be accepted.
Your passphrase must be stored securely at all times. You must not write it down and/or leave it somewhere where other people can access it, or communicate it to other people.
If you're worried about forgetting your passphrase, you can use a password manager to securely store your passphrase. The GEMS Regulator cannot recommend specific password managers, but there are a number of secure and reliable options out there. Your organisation may have a nominated password manager available that you can use. Please contact your ICT department for further advice.
Multi-factor authentication is a form of authentication that involves two or more steps in the authentication process. You might provide a password or passphrase, but then be prompted to enter a code from an app or a message that is sent to your phone or email address. These additional steps make it much harder for malicious cyber actors to access a user's account and is the preferred method of authentication.
At this stage, we are unable to implement multi-factor authentication without adversely impacting a registrant's ability to register, but we are continuing to look at how we might make this available in the future.
Your passphrase is timed to expire 90 days from the date you create it.
You will receive a number of warnings by email letting you know that your passphrase is about to expire.
See Figure 1 below for an example.
Figure 1: Passphrase expiry - Email notification
If your passphrase expires, the next time you attempt to log in, you will see the message as shown in Figure 2 below which will prompt you to change your passphrase. You will need to change it to a new passphrase, as you will not be permitted to use one you have previously used.
Figure 2: Passphrase expiry - Passphrase expired screen
When you enter your passphrase incorrectly five times, the system will lock your account so that you cannot log in, even if you do remember your correct passphrase.
The account will be locked out until the Energy Rating Team reactivates it.
The account lockout is a security mechanism designed to assist in preventing unauthorised individuals from illegally accessing your account.
It enables us to provide protection for your user account and your data while we investigate the cause of the failed login attempts. If this is simple user error, your account will be reactivated within 24 business hours.
Yes. You will see a message on the screen with each failed login attempt that indicates how many attempts you have remaining until your account is locked out, as shown in Figure 3 below:
Figure 3: Account lockout message
The message as shown in Figure 4 below will appear on screen when your account is locked out:
Figure 4: User locked out message
You will also receive the email as shown in Figure 5 to the email address recorded in your account in the system:
Figure 5: Email notification: Account locked out
Contact the Energy Rating Team to request an account reactivation. Please include the email address your account is registered to, as well as your username.
We reserve the right to request additional information to confirm your identity as the legal owner of the account.
Once our team is satisfied that no suspicious or malicious activity has occurred, your account will be reactivated, and you will be notified by the Energy Rating Team. You will need to reset your passphrase before you can log in.
Contact the Energy Rating Team explaining your situation. Please include the email address in question, and your account username, along with any other relevant information (e.g. alternate email address, approval from the Applicant organisations you have access to in the system, etc.).
We reserve the right to request additional information to confirm your identity as the legal owner of the account.
Failed login attempts must be investigated before we can reactivate the user account. Keeping the account locked while we investigate protects your account and your data.
If we identify that your account has been compromised, or uncover evidence that reactivating your account may pose a security risk, your existing account will remain locked and we will arrange for a new account to be created for you. We will assist you in getting set up so that you may continue to use the system as you did under your previous account, as well as potentially retrieving any data you may need from your old account.
For security reasons, you will not be permitted to access your old account again.
If you have not logged in to your account in over 30 days, the system will automatically deactivate your account.
The automatic deactivation of your account after 30 days is a security measure designed to protect your account and the data you have access to, in the event that you are away for an extended period of time or leave your organisation or business entirely.
No. It does not mean your account has been deleted; it simply means it has temporarily been deactivated to prevent unauthorised access. At no point in this process is your account deleted.
The system will notify you in a few ways if your account is deactivated:
Figure 6: Email notification - Account deactivation warning
Figure 7: Email notification - Account deactivated
Figure 8: Account deactivated message
Follow the instructions in the email and reset your passphrase. You cannot use the same passphrase as you used previously. You then need to log in to your account to complete the reactivation process. Simply resetting your passphrase won't reactivate your account.
If you do not reactivate your account within 12 months of this initial deactivation, you will need to contact the Energy Rating Team to have your account reactivated.
Contact the Energy Rating Team explaining your situation. Please include the email address in question, your account username, along with any other relevant information (e.g. alternate email address, approval from the Applicant organisations you have access to in the system, etc.).
We reserve the right to request additional information to confirm your identity as the legal owner of the account.
Contact the Energy Rating Team explaining your situation. Please include the email address in question, your account username, along with any other relevant information (e.g. alternate email address, approval from the Applicant organisations you have access to in the system, etc.).
We reserve the right to request additional information to confirm your identity as the legal owner of the account.
Your account may have been inactive for over 30 days prior to these changes being rolled out, so the system is letting you know your account has been deactivated.
Follow the instructions outlined in the email to reactivate your account.
The reactivation process is a two-step process:
In order to complete the reactivation process, you need to log in as soon as you have reset your passphrase.