Skip to Content

Password-Based Authentication IA-5(1)

703  Matthew Burdick September 30, 2022  Identification and Authentication (IA)

Overview:
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and
special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Supplemental Guidance:
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords.


Related control:IA-6.


Action Items:
1) Ensure password based authentication follows organizational best practices

 

Related Documents:
1) Identity and Access Management Policy


Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
IA-5 (1) (b) [at least one]
IA-5 (1) (e) [twenty four]


Moderate Additional FedRAMP Requirements and Guidance
IA-5 (1) (a), and (d) Additional FedRAMP Requirements and Guidance: Guidance: If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant

 
Not Rated
Secure Code