This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; [FedRAMP Assignment: (L)(M) At Least one, (H) At least fifty percent (50%)]
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and [FedRAMP Assignment: (L)(M)(H) Twenty Four (24)]
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multi-factor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6.
References:
OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.
Related Controls: IA-6.
38North Guidance:
Meets Minimum Requirement:
IA-5(1).a.5 - Enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type.
IA-5(1).b.2 - Enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created.
IA-5(1).c - Stores and transmits only encrypted representations of passwords
IA-5(1).d.3 - Enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum.
IA-5(1).d.4 - Enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum.
IA-5(1).e.2 - Prohibits password reuse for the organization-defined number of generations.
IA-5(1).f - Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Best Practice:
Implement password complexity rules requiring a minimum number of characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters.
Protect all passwords in transit by utilizing encryption of the passwords by salting or hashing the passwords in transit.
If Active Directory (AD) is utilized ensure that reverse encryption is disabled.
Require a minimum and maximum amount of password lifetime restrictions. Aka minimum password life is a day and maximum is 90 days.
Prevent the reuse of passwords.
Change all default passwords on devices or software.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Password policy for complexity requirements.
Application policy for complexity requirements.
Password encryption policy requirements.
Email communication or account creation tickets.
CSP Implementation Tips: TBD