IA.L2-3.5.7 Password Complexity
Enforce a minimum password complexity and change of characters when new passwords are created.
Source: NIST SP 800-171 Rev 2 3.5.7
Discussion: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.
Assessment Objectives:
Determine if:
- [a] password complexity requirements are defined;
- [b] password change of character requirements are defined;
- [c] minimum password complexity requirements as defined are enforced when new passwords are created; and
- [d] minimum password change of character requirements as defined are enforced when new passwords are created.
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
SPRS Score: 1
POA&M Allowed: Yes