Skip to Content

NIST 800-171 - Password Complexity (3.5.7)

155  Matthew Burdick September 27, 2022  Identification and Authentication

Overview:
Enforce a minimum password complexity and change of characters when new passwords are created.


Action Items:
3.5.7[a]
Determine if: password complexity requirements are defined.


3.5.7[b]
Determine if: password change of character requirements are defined.


3.5.7[c]
Determine if: minimum password complexity requirements as defined are enforced when new passwords are created.


3.5.7[d]
Determine if: minimum password change of character requirements as defined are enforced when new passwords are created.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].


2
Interview: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].


3
Test: Mechanisms supporting or implementing password-based authenticator management capability].


Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) password policy
3) procedures addressing authenticator management
4) system security plan
5) system configuration settings and associated documentation
6) system design documentation
7) password configurations and associated documentation
8) other relevant documents or records


Additional Guidance:
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

 
Not Rated
Secure Code