Overview:
Prohibit password reuse for a specified number of generations.
Action Items:
3.5.8[a]
Determine if: the number of generations during which a password cannot be reused is specified.
3.5.8[b]
Determine if: reuse of passwords is prohibited during the specified number of generations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
2
Interview: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
3
Test: Mechanisms supporting or implementing password-based authenticator management capability].
Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) password policy
3) procedures addressing authenticator management
4) system security plan
5) system design documentation
6) system configuration settings and associated documentation
7) password configurations and associated documentation
8) other relevant documents or records
Additional Guidance:
Password lifetime restrictions do not apply to temporary passwords.
Article ID: 156
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-password-reuse-3-5-8-156.html