E3 - Equipment Energy Efficiency

1A. What is a passphrase?

A passphrase is a series of words and characters that is used by an individual to access a system. It is similar to a password, but is much longer and as a result, much more secure and more difficult for cyber criminals to hack.

An example of a passphrase might be “An apple a day keeps the doctor away”. This passphrase contains 36 characters, including the spaces between each word.

1B. What is the passphrase policy?

The passphrase policy lists the requirements for users in creating a passphrase in the Registration System. It outlines what is and isn't acceptable, and provides a timeframe for when passphrases need to be updated.

The current policy is outlined below:

Table 1: Passphrase policy

A passphrase in the Registration System must:

• Contain a minimum of 4 words that adds up to a minimum 14 characters with a hyphen (-), space or underscore (_) between each word.
• Be sufficiently complex - it must contain at least three of the following
  • x1 uppercase letter (A-Z); and/or
  • x1 lowercase letter (a-z); and/or
  • x1 number (0-9); and/or
  • x1 special character (this excludes hyphens, underscores and spaces).
• Not be a password or passphrase you have already used on this or other sites or systems.
• Not repeat any words.
• Not use restricted words - restricted words are words that are widely used in the system - e.g. "GEMS", "Registration", and "E3".

You will be required to change your passphrase every 90 days.

1C. Why did the Registration System move to passphrases?

Web applications such as the Registration System are vulnerable to malicious attacks from cyber criminals, who use increasingly sophisticated software and technology to compromise these applications. Repeated cyber-attacks and data breaches mean that passwords are no longer sufficient to protect user accounts against unauthorised access.

Passphrases are more secure and harder to hack than passwords. They are easier for the user to remember, and longer in length, which significantly increases the difficulty for cyber criminals in trying to hack them.

Take the example above - “An apple a day keeps the doctor away”. It would take a computer roughly 3 quindecillion years to crack this passphrase, as opposed to a password such as “1234ABC”, which would take a computer 1 second to crack (https://www.security.org/how-secure-is-my-password/).

The longer and more complex your passphrase is, the more difficult it will be for someone to crack it.

1D. How does this affect me and what do I need to do?

If you have not logged on in some time, you may be prompted to change your existing password to a passphrase that meets the passphrase policy requirements (see Table 1 above). After successfully changing your passphrase, you will then be able to log in and continue using the system as normal.

Your passphrase will expire every 90 days and you will need to reset it. You will receive email warnings letting you know when you need to reset your passphrase. See Question 1I below for more information.

You may also need to reset your passphrase if you do not log in to your account in over 30 days and the system deactivates your account as a security measure. For more information on this, click here.

1E. How do I create a good passphrase?

You can create a good passphrase by choosing one that consists of a phrase or series of words that you can remember, but which is long and complex enough to satisfy the passphrase requirements.

The longer and more complex your passphrase is, the more difficult it will be for someone to crack it.

Examples of good and bad passphrases are listed in the tables below.

There are also resources on the internet that can assist you with creating a good passphrase.

Table 2: Examples of good passphrases

Example	Why is it a good passphrase?
An apple a day keeps the doctor away84@	✓ Contains 8 words with spaces between each word ✓ Contains 39 characters, including spaces ✓ Contains two numbers, an uppercase letter, a lowercase letter and a special character, so it is sufficiently complex ✓ There are no repeating words ✓ There are no restricted words ✓ It is easy to remember while being sufficiently long and complex
Rally upon shoptalk vending56%	✓ Contains 4 words with spaces between each word ✓ Contains 30 characters, including spaces ✓ Contains two numbers, an uppercase letter, a lowercase letter and a special character, so it is sufficiently complex ✓ There are no repeating words ✓ There are no restricted words ✓ It is easy to remember while being sufficiently long and complex

Table 3: Examples of bad passphrases

Example	Why is it a bad passphrase?
whatgoesupmustcomedown	✗ It contains the minimum of 4 words (6 in total), but there is no hyphen, space or underscore between each word; ✗ It is not sufficiently complex - it does not contain an uppercase letter, a lowercase letter, number or special character.
Password123	✗ It is not a passphrase; ✗ It does not contain the minimum 4 words; ✗ It does not contain the minimum 14 characters; ✗ It is not sufficiently complex
Energy Rating Product Registration System24!	✗ It contains restricted words - “energy rating”, “product”, “registration”, and “system” - words that are used in the system.

1F. Can I continue using my password?

No. The implementation of passphrases means that passwords will no longer be accepted.

1G. I’m worried I’ll forget my passphrase. What can I do?

Your passphrase must be stored securely at all times. You must not write it down and/or leave it somewhere where other people can access it, or communicate it to other people.

If you're worried about forgetting your passphrase, you can use a password manager to securely store your passphrase. The GEMS Regulator cannot recommend specific password managers, but there are a number of secure and reliable options out there. Your organisation may have a nominated password manager available that you can use. Please contact your ICT department for further advice.

1H. Can I use multi-factor authentication?

Multi-factor authentication is a form of authentication that involves two or more steps in the authentication process. You might provide a password or passphrase, but then be prompted to enter a code from an app or a message that is sent to your phone or email address. These additional steps make it much harder for malicious cyber actors to access a user's account and is the preferred method of authentication.

At this stage, we are unable to implement multi-factor authentication without adversely impacting a registrant's ability to register, but we are continuing to look at how we might make this available in the future.

1I. What happens when my passphrase expires?

Your passphrase is timed to expire 90 days from the date you create it.

You will receive a number of warnings by email letting you know that your passphrase is about to expire.

See Figure 1 below for an example.

If your passphrase expires, the next time you attempt to log in, you will see the message as shown in Figure 2 below which will prompt you to change your passphrase. You will need to change it to a new passphrase, as you will not be permitted to use one you have previously used.

2A. What happens with the account lockout?

When you enter your passphrase incorrectly five times, the system will lock your account so that you cannot log in, even if you do remember your correct passphrase.

The account will be locked out until the Energy Rating Team reactivates it.

2B. Why does the Registration System need an account lockout?

The account lockout is a security mechanism designed to assist in preventing unauthorised individuals from illegally accessing your account.

It enables us to provide protection for your user account and your data while we investigate the cause of the failed login attempts. If this is simple user error, your account will be reactivated within 24 business hours.

2C. Will the system warn me before my account is locked out?

Yes. You will see a message on the screen with each failed login attempt that indicates how many attempts you have remaining until your account is locked out, as shown in Figure 3 below:

2D. How do I know my account is locked out?

The message as shown in Figure 4 below will appear on screen when your account is locked out:

You will also receive the email as shown in Figure 5 to the email address recorded in your account in the system:

2E. How do I get my account reactivated?

Contact the Energy Rating Team to request an account reactivation. Please include the email address your account is registered to, as well as your username.

We reserve the right to request additional information to confirm your identity as the legal owner of the account.

Once our team is satisfied that no suspicious or malicious activity has occurred, your account will be reactivated, and you will be notified by the Energy Rating Team. You will need to reset your passphrase before you can log in.

2F. I can’t access the email address to which my account is registered. What can I do to get my account reactivated?

Contact the Energy Rating Team explaining your situation. Please include the email address in question, and your account username, along with any other relevant information (e.g. alternate email address, approval from the Applicant organisations you have access to in the system, etc.).

We reserve the right to request additional information to confirm your identity as the legal owner of the account.

2G. Why isn’t my account reactivated automatically?

Failed login attempts must be investigated before we can reactivate the user account. Keeping the account locked while we investigate protects your account and your data.

2H. What happens if my account can’t be reactivated?

If we identify that your account has been compromised, or uncover evidence that reactivating your account may pose a security risk, your existing account will remain locked and we will arrange for a new account to be created for you. We will assist you in getting set up so that you may continue to use the system as you did under your previous account, as well as potentially retrieving any data you may need from your old account.

For security reasons, you will not be permitted to access your old account again.

3A. What happens with automatic account deactivation?

If you have not logged in to your account in over 30 days, the system will automatically deactivate your account.

3B. Why will my account be deactivated after 30 days?

The automatic deactivation of your account after 30 days is a security measure designed to protect your account and the data you have access to, in the event that you are away for an extended period of time or leave your organisation or business entirely.

3C. Does this mean my account has been deleted?

No. It does not mean your account has been deleted; it simply means it has temporarily been deactivated to prevent unauthorised access. At no point in this process is your account deleted.

3D. How will I know my account is deactivated?

The system will notify you in a few ways if your account is deactivated:

1. You will receive warning emails prior to the deactivation occurring that your account will be deactivated on a certain date. See Figure 6 below.

   Figure 6: Email notification - Account deactivation warning

   
2. You will receive an email notification when your account has been deactivated. See Figure 7 below.

   Figure 7: Email notification - Account deactivated

   
3. If you attempt to log in to your account after it has been deactivated, you will see the message as shown in Figure 8 below.

   Figure 8: Account deactivated message

   

3E. What do I need to do to reactivate my account?

Follow the instructions in the email and reset your passphrase. You cannot use the same passphrase as you used previously. You then need to log in to your account to complete the reactivation process. Simply resetting your passphrase won't reactivate your account.

If you do not reactivate your account within 12 months of this initial deactivation, you will need to contact the Energy Rating Team to have your account reactivated.

3F. My account isn’t being reactivated even though I followed the instructions. What should I do next?

Contact the Energy Rating Team explaining your situation. Please include the email address in question, your account username, along with any other relevant information (e.g. alternate email address, approval from the Applicant organisations you have access to in the system, etc.).

We reserve the right to request additional information to confirm your identity as the legal owner of the account.

3G. I’m not getting the emails. What do I do?

Contact the Energy Rating Team explaining your situation. Please include the email address in question, your account username, along with any other relevant information (e.g. alternate email address, approval from the Applicant organisations you have access to in the system, etc.).

We reserve the right to request additional information to confirm your identity as the legal owner of the account.

3H. Why am I already receiving an email telling me my account is deactivated when these changes just happened?

Your account may have been inactive for over 30 days prior to these changes being rolled out, so the system is letting you know your account has been deactivated.

Follow the instructions outlined in the email to reactivate your account.

3I. Why am I getting an email telling me my account is deactivated when I just reset my passphrase yesterday?

The reactivation process is a two-step process:

1. Reset your passphrase
2. Log in to your account.

In order to complete the reactivation process, you need to log in as soon as you have reset your passphrase.