Overview:
Store and transmit only encrypted representation of passwords.
Action Items:
3.5.10[a]
Determine if: passwords are cryptographically protected in storage.
3.5.10[b]
Determine if: passwords are cryptographically protected in transit.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].
2
Interview: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
3
Test: Mechanisms supporting or implementing password-based authenticator management capability].
Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) password policy
3) procedures addressing authenticator management
4) system security plan
5) system configuration settings and associated documentation
6) system design documentation
7) password configurations and associated documentation
8) other relevant documents or records
Additional Guidance:
Cryptographically-protected passwords include, for example, salted one-way cryptographic hashes of passwords. See NIST Cryptographic Standards.
Article ID: 158
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-password-transmission-and-storage-3-5-10-158.html