IA.L2-3.5.8 Password Reuse

Prohibit password reuse for a specified number of generations.

Source: NIST SP 800-171 Rev 2 3.5.8

Discussion: Password lifetime restrictions do not apply to temporary passwords

Assessment Objectives:

Determine if:

• [a] the number of generations during which a password cannot be reused is specified and
• [b] reuse of passwords is prohibited during the specified number of generations.

Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].

Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].

SPRS Score: 1

POA&M Allowed: Yes