In the coming weeks, the GEMS Regulator will be making some important changes to how users access the Energy Rating Product Registration System (the Registration System).
These changes will impact all users of the Registration System.
They are being rolled out as part of to boost the security and resilience of the Registration System against cyber-attacks.
These changes involve:
- Replacing passwords with passphrases and implementing a new passphrase policy;
- Locking out user accounts after five failed attempts to log in; and
- Automatically deactivating accounts that have not been accessed in over 30 days.
These changes will be applied outside of business hours, Australian Eastern Standard Time, on Tuesday, 28th September 2021. This will allow us to minimise the impact of the rollout on users as much as possible.
Please read the information below for an overview of the changes.
More specific details can be found .
1. Replacing passwords with passphrases
Following the rollout, all users will be required to use passphrases instead of passwords when logging in to the Registration System.
A passphrase is a series of words and characters that is used to access a system. It is similar to a password, but is longer and more complex. This makes it more secure and more difficult for cyber criminals to hack.
Users will be required to change their existing passwords to passphrases when this change comes into effect. The new passphrase must meet the requirements of the new passphrase policy, which can be found .
Users will be required to reset their passphrase every 90 days.
2. Account lockout after five failed login attempts
Users who fail to enter their passphrases correctly five times in a row will be locked out and will be required to contact the Energy Rating Team for approval to have their account unlocked.
The account lockout is a security mechanism designed to assist in preventing unauthorised individuals from illegally accessing your account. It also enables us to provide protection for your user account and your data while we investigate the cause of the failed login attempts.
3. Automatic deactivation of accounts inactive longer than 30 days
User accounts that have not been accessed in over 30 days will be automatically deactivated by the system. This does not mean your account has been deleted or removed; it has simply been temporarily switched off.
This is a security measure designed to protect your account and the data you have access to in the system, in the event that you are away for an extended period of time or leave your organisation or business entirely.
Users will be required to reset their passphrase and then log in to reactivate their account.
What do I need to do?
No action is required at this stage.
However, there are some steps you can take to prepare yourself for these changes:
- Familiarise yourself with passphrases and think of some suitable passphrases you might use, noting you may need to adjust these to meet the new passphrase policy;
- Log in to your account to ensure it is active - If your account is not currently active (i.e. you receive a message saying “This account is inactive”), please . Note, we may request additional information to verify your identity before we re-activate your account.
- , so that you can receive relevant updates about the changes.
- Read the information that will be provided in coming weeks and familiarise yourself with the specific actions you will need to take;
- Ensure you are not sharing your account details with anyone else, or using shared accounts;
- Communicate this information to relevant staff in your organisation who also have access to the Registration System.
Additional communications regarding these changes will be issued in coming weeks as a reminder of these changes coming into effect.
In the meantime, please on the registration system for specific details regarding these changes.
Please if you have any questions.