03.05.07: Password Management
Control Familly: Identification and Authentication
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-63-3 [27]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.05.07
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
IA-05(01)
a. Maintain a list of commonly-used, expected, or compromised passwords, and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised.
b. Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords.
c. Transmit passwords only over cryptographically protected channels.
d. Store passwords in a cryptographically protected form.
e. Select a new password upon first use after account recovery.
f. Enforce the following composition and complexity rules for passwords: [Assignment: organization-defined composition and complexity rules].
Discussion:
Password-based authentication applies to passwords used in single-factor or multifactor authentication. Long passwords or passphrases are preferable to shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish and enforce certain rules for password generation (e.g., minimum character length) under certain circumstances. For example, account recovery can occur when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes contextspecific words, such as the name of the service, username, and derivatives thereof. Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity and reduces susceptibility to authenticator compromises. Long passwords and passphrases can be used to increase the complexity of passwords.
Assessment Methods and Objectives
Examine [SELECT FROM: identification and authentication policy and procedures; password policy; procedures for authenticator management; system design documentation; system configuration settings; password configurations; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with authenticator management responsibilities; personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: mechanisms for supporting or implementing a password-based authenticator management capability]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.05.07.ODP[01]: the frequency at which to update the list of commonly used, expected, or compromised passwords is defined.
A.03.05.07.ODP[02]: password composition and complexity rules are defined.
A.03.05.07.a[01]: a list of commonly used, expected, or compromised passwords is maintained.
A.03.05.07.a[02]: a list of commonly used, expected, or compromised passwords is updated <A.03.05.07.ODP[01]: frequency>. A.03.05.07.a[03]: a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised.
A.03.05.07.b: passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users.
A.03.05.07.c: passwords are only transmitted over cryptographically protected channels.
A.03.05.07.d: passwords are stored in a cryptographically protected form.
A.03.05.07.e: a new password is selected upon first use after account recovery.
A.03.05.07.f: the following composition and complexity rules for passwords are enforced: <A.03.05.07.ODP[02]: rules>.