Back

Configure the "Password must meet complexity requirements" to organizational standards.


CONTROL ID
07743
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards., CC ID: 07621

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Minimum password complexity (ie, alphanumeric) and history; (1.6. ¶ 1 (c), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • In addition, it is necessary to alleviate the risk of leakage by utilizing measures such as setting initial passwords which will be difficult to guess. (P26.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Passwords represent the first line of defence, and if not implemented appropriately, they can be the weakest link in the organisation. Thus, the FI should enforce strong password controls over users’ access to applications and systems. Password controls should include a change of password upon fir… (§ 11.1.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply. (Control: ISM-0421; Revision: 8, Australian Government Information Security Manual, June 2023)
  • Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters. (Control: ISM-1557; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters. (Control: ISM-0422; Revision: 8, Australian Government Information Security Manual, June 2023)
  • Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed. (Control: ISM-1685; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed. (Control: ISM-1685; Revision: 2, Australian Government Information Security Manual, June 2024)
  • Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply. (Control: ISM-0421; Revision: 8, Australian Government Information Security Manual, June 2024)
  • Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters. (Control: ISM-1557; Revision: 2, Australian Government Information Security Manual, June 2024)
  • Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters. (Control: ISM-0422; Revision: 8, Australian Government Information Security Manual, June 2024)
  • are not a list of categorised words. (Security Control: 1558; Revision: 1; Bullet 3, Australian Government Information Security Manual, March 2021)
  • do not form a real sentence in a natural language (Security Control: 1558; Revision: 1; Bullet 2, Australian Government Information Security Manual, March 2021)
  • are not constructed from song lyrics, movies, literature or any other publicly available material (Security Control: 1558; Revision: 1; Bullet 1, Australian Government Information Security Manual, March 2021)
  • Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words. (Security Control: 0422; Revision: 6, Australian Government Information Security Manual, March 2021)
  • Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. (Security Control: 0421; Revision: 6, Australian Government Information Security Manual, March 2021)
  • Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words (Security Control: 1557; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed. (Control: ISM-1685; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters. (Control: ISM-0422; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters. (Control: ISM-1557; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply. (Control: ISM-0421; Revision: 8, Australian Government Information Security Manual, September 2023)
  • The organization must implement a passphrase policy that enforces a 12 alphabetic character minimum length with no complexity requirements or a 9 alphabetic character minimum length with a character from at least 3 of the character sets (lowercase alphabetic characters, uppercase alphabetic characte… (Control: 0421, Australian Government Information Security Manual: Controls)
  • The organization must implement a passphrase policy that enforces a 15 alphabetic character minimum length with no complexity requirement or a 10 alphabetic character minimum length with a character from at least 3 of the character sets (lowercase alphabetic characters, uppercase alphabetic characte… (Control: 0422, Australian Government Information Security Manual: Controls)
  • The organization must audit the passphrases of privileged account on a regular basis to ensure they meet the length or complexity requirements. (Control: 0445 Bullet 5, Australian Government Information Security Manual: Controls)
  • If the password contains both numeric and alphabetic characters, the minimum length should be 7 characters. (§ 3.6.11, Australian Government ICT Security Manual (ACSI 33))
  • The system should implement randomized local administrator passphrases that are unique and complex. (Mitigation Strategy Effectiveness Ranking 17, Strategies to Mitigate Targeted Cyber Intrusions)
  • Are strong, complex passwords defined in policy and enforced technically for all users and administrators? (Secure configuration Question 11, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Are users authenticated using difficult to guess passwords, as a minimum, before being granted access to applications and computers? (Access control Question 33, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • How to avoid choosing obvious passwords (such as those based on easily-discoverable information). (Access control Question 32(a), Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • At least two of the following character types must be included: Capital letters, minor letters, special characters and numbers (Section 5.7 IDM-11 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • App 2 ¶ 14.c: For IT systems that process and access restricted information, the system shall use passwords that are a minimum of 6 characters long (9 characters are preferred) and shall include alphabetic, numeric, and special characters. This is applicable to UK contractors. App 6 ¶ 15.c: For IT… (App 2 ¶ 14.c, App 6 ¶ 15.c, The Contractual process, Version 5.0 October 2010)
  • Users are required to use robust passwords that are long in length and mix letters, numbers and symbols. (§ IV.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are users required to use robust passwords (long in length; mix of letters, numbers, and symbols)? (Table Row IV.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are administrative accounts changed quarterly with very strong passwords? (Table Row XI.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The password should be complex, containing a combination of uppercase letters, lowercase letters, numbers, and special characters. The password should not be a word or combination of words from any dictionary. Mac OS X only supports standard ASCII characters. Password Assistant, a program included i… (Pg 24, Pg 51, Pg 149, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • This setting enables or disables the computer from checking new passwords to see if they meet the password complexity requirements. To meet the complexity requirements, the password must have characters from three of the following categories: uppercase letters, lowercase letters, numbers, and specia… (Pg 4, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (7C1A8FF5-4860-476D-8089-98559CBDD62D, Win7SP1 Domain Security Compliance, 1.0)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (D9AEE28C-9CF2-412F-B2EC-A666AA8B319F, Win8 Domain Security Compliance, 1.0)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (67573150-5978-464C-A469-D081EDF30BE6, WinVistaSP2 Domain Security Compliance, 1.0)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (298CA6B0-8D45-4FE0-B8C7-DDAB6E887E02, WinXPSP3 Domain Security Compliance, 1.0)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (442A6242-30C2-44D5-A6EA-3B3CD3D28662, WS2003SP2 Domain Security Compliance, 1.0)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (2D1F8381-DA0B-4EA8-9F99-54F67C81CAEA, WS2008R2SP1 Domain Security Compliance, 1.0)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (43F11340-45D4-4D4E-9E19-7B28A4A1B0BB, WS2008SP2 Domain Security Compliance, 1.0)
  • Configure the "Password must meet complexity requirements" setting to "Enabled". (52347A23-C8BE-4CE3-B31B-8FACC34605B6, WS2012 Domain Security Compliance, 1.0)
  • (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain … (1.1.5, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 1)
  • (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only) Description: In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an org… (18.2.4, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 1)
  • (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain … (1.1.5, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 2)
  • (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only) Description: In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an org… (18.2.4, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 2)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: . Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.6.1_, The Center for Internet Security Microsoft Windows 7 Level 1 + BitLocker Benchmark, 2.1.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: . Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.6.2_, The Center for Internet Security Microsoft Windows 7 Level 1 + BitLocker Benchmark, 2.1.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: . Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.6.1_, The Center for Internet Security Microsoft Windows 7 Level 1 Benchmark, 2.1.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: . Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.6.2_, The Center for Internet Security Microsoft Windows 7 Level 1 Benchmark, 2.1.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.6.1_, The Center for Internet Security Microsoft Windows 8 Level 1 + BitLocker Benchmark, 1.0.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.6.1_, The Center for Internet Security Microsoft Windows 8 Level 1 Benchmark, 1.0.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.6.1_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Domain Controller Benchmark, 1.0.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.6.2_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Domain Controller Benchmark, 1.0.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.6.1_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Member Server Benchmark, 1.0.0)
  • Title: Set 'Password must meet complexity requirements' to 'Enabled' Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Set_Password_must_meet_complexity_requirements_to_Enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.6.2_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Member Server Benchmark, 1.0.0)
  • Password complexity is required. This means that a password must consist of characters from three of the following four groups: uppercase letters, lowercase letters, numbers, and special characters. (Pg 13, Pg 14, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • Complex passwords consists of characters from three different groups. The four groups are uppercase letters, lowercase letters, numbers, and special characters. By using complex passwords, you are exponentially increasing the time that it will take a hacker to crack those passwords. (§ 2.2.2.4, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • Password complexity is required. This means that a password must consist of characters from three of the following four groups: uppercase letters, lowercase letters, numbers, and special characters. (§ 13, § 14, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • Password complexity will be enabled. This means that passwords will contain three of the four character groups: lowercase letters, uppercase letters, numeric, and special characters. (§ 2.2.2.4, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • Complex passwords increase exponentially the number of possible passwords. Complex passwords consist of characters from three of the following four groups: uppercase letters, lowercase letters, numbers, and special characters. This setting should be Enabled. Complex passwords is not integrated into … (Pg 16, Pg 17, The Center for Internet Security Windows NT Benchmark, 1.0.5)
  • The organization must enable password complexity. Windows XP does not provide any granularity in password complexity requirements-it is either on or off. (§ 2.2.2.4, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • For control systems utilizing password-based authentication, the control system shall provide the capability to enforce configurable password strength based on minimum length and variety of character types. (5.9.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the… (8.2.3(a), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
  • For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require passwords to contain both numeric and alphabetic characters. (§ 8.5.11, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Inspect the system configuration settings for a sample of system components to verify that user passwords are required to have at least an alphabetic character and a numeric character. (Testing Procedures § 8.2.3.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the internal processes and user or customer documentation from service providers to verify non-consumer user passwords are required to have alphabetic characters and numeric characters. (Testing Procedures § 8.2.3.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure it has developed a password and user authentication management program that requires both numeric and alphabetic characters to be used for passwords. (§ 8.5.11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require passwords to contain both numeric and alphabetic characters. (§ 8.5.11 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Passwords or passphrases must contain alphabetic characters and numeric characters. (PCI DSS Requirements § 8.2.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. (8.2.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. (8.2.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. (8.2.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the par… (8.2.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the par… (8.2.3(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the… (8.2.3(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the… (8.2.3(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the par… (8.2.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the par… (8.2.3(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the par… (8.2.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For service providers only: Are non-consumer customer passwords required to meet the following minimum length and complexity requirements? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters (8.2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For service providers only: Are non-consumer customer passwords required to meet the following minimum length and complexity requirements? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters (8.2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the… (8.2.3(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require at least the following strength/complexity: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. (8.2.3.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that non-consumer customer passwords/passphrases are required to meet at least the following strength/complexity: - Require a minimum length of at least seven chara… (8.2.3.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Secure handheld and/or laptop devices with strong passwords. (§ 4.1.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. (8.6.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. (8.6.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0.1)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0.1)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0.1)
  • Examine system configuration settings to verify that user password/passphrase complexity parameters are set in accordance with all elements specified in this requirement. (8.3.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The complexity defined for passwords/passphrases and appropriateness of the complexity relative to the frequency of changes. (8.6.3.b Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The complexity defined for passwords/passphrases and appropriateness of the complexity relative to the frequency of changes. (8.6.3.b Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0.1)
  • Examine system configuration settings to verify that user password/passphrase complexity parameters are set in accordance with all elements specified in this requirement. (8.3.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0.1)
  • Are user password parameters configured to require passwords or passphrases contain both numeric and alphabetic characters? (PCI DSS Question 8.2.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are user password parameters configured to require passwords or passphrases contain both numeric and alphabetic characters? (PCI DSS Question 8.2.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are user password parameters configured to require passwords or passphrases contain both numeric and alphabetic characters? (PCI DSS Question 8.2.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For service providers only: Are non-consumer customer passwords required to contain both numeric and alphabetic characters? (PCI DSS Question 8.2.3(b) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. (8.6.3 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. (8.6.3 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. (8.6.3 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. (8.6.3 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Contain both numeric and alphabetic characters. (8.3.6 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: (8.3.6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The password for the payment gateway system should include both letters and numbers. (Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • General application security controls must be reviewed when the application's logical access controls are performed, including ensuring the password character combinations meet the organization's policy requirements. (§ 4 (Access Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The organization should ensure all users employ high quality passwords for their voice mailboxes. (Pg 15-IV-28, Protection of Assets Manual, ASIS International)
  • Access control mechanisms based on passwords should be enforced by automated means that ensure passwords contain no more than two identical characters in a row. (CF.06.04.04c, The Standard of Good Practice for Information Security)
  • Access control mechanisms based on passwords should be enforced by automated means that ensure passwords are not made up of all numeric or alpha characters. (CF.06.04.04e, The Standard of Good Practice for Information Security)
  • Access control mechanisms based on passwords should be enforced by automated means that ensure passwords contain no more than two identical characters in a row. (CF.06.04.04c, The Standard of Good Practice for Information Security, 2013)
  • Access control mechanisms based on passwords should be enforced by automated means that ensure passwords are not made up of all numeric or alpha characters. (CF.06.04.04e, The Standard of Good Practice for Information Security, 2013)
  • Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. (2.1.9, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password. (C.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password. (2.3.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • The organization should verify that service account passwords are long and difficult to guess. (Critical Control 12.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Non-administrator accounts should be required to have a strong password that contains numbers, letters, and special characters. (Critical Control 16.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Non-administrator accounts should be required to have strong passwords that contain letters, numbers, and special characters. (Critical Control 16.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • For components that utilize password-based authentication, those components shall provide or integrate into a system that provides the capability to enforce configurable password strength according to internationally recognized and proven password guidelines. (5.9.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The ability to enforce configurable password strength, whether it is based on minimum length, variety of characters, or duration of time (the minimum being a one-time password) is necessary to assist in increasing the overall security of user chosen passwords. Generally accepted practices and recomm… (5.9.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. (IA-5(4) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. (IA-5(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • using complex passwords and changing them periodically; (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 3, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non- alphanumeric) or the maximum complexity supported by the Cyber Asset. (CIP-007-6 Table R5 Part 5.5 Requirements 5.5.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • On UNIX computers or Linux computers that transmit scoped data, are complex passwords required? (§ G.16.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are complex passwords required? (§ G.16.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, are complex passwords required? (§ G.16.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are complex passwords required? (§ G.17.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are complex passwords required? (§ G.17.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are complex passwords required? (§ G.17.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, are complex passwords required? (§ G.18.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are complex passwords required? (§ G.18.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are complex passwords required? (§ G.18.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, are complex passwords required? (§ G.19.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, are complex passwords required? (§ G.19.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, are complex passwords required? (§ G.19.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, are complex passwords required? (§ G.20.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, are complex passwords required? (§ G.20.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, are complex passwords required? (§ G.20.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are strong passwords required on systems transmitting scoped systems and data? (§ H.4.2, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Are strong passwords required on systems processing scoped systems and data? (§ H.4.2, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Are strong passwords required on systems storing scoped systems and data? (§ H.4.2, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are complex passwords required? (§ V.1.72.12, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Passwords must include at least one upper and lower case character, one number, and one special character. (CSR 2.9.9(7), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The System Administrator should ensure passwords include alphanumeric, non-repeating, nonconsecutive characters for systems below HMP IX 7.0. For systems above HMP IX 7.0, passwords should include upper case characters, lower case characters, numeric characters, and special characters (except slash,… (§ 3.1.6.1, § 3.1.6.2, § 3.1.6.3.3, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The information assurance officer should ensure passwords contain at least two alphabetic characters and one must be capitalized, at least one numeric character, and at least one special character avoiding # and @. Passwords should not contain consecutive characters or information such as names, dic… (§ 3.2.1, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • Passwords should contain at least two lowercase letters, two uppercase letters, two numbers, and two special characters. The "Password must meet complexity requirements" value should be set to Enabled. (§ 5.1.3, § 5.3.3.5, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • Passwords should contain at least two uppercase letters, two lowercase letters, two numbers, and two special characters. The "Password must meet complexity requirements" value should be set to Enabled. (§ 3.2 (2.009), § 3.5.3 (3.028), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • A password should consist of at least two lowercase letters, two uppercase letters, two numbers, and two special characters. The "Password Must Meet Complexity Requirements" value should be set to Enabled. (§ 5.1.3, § 5.3.3.5, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Wireless network device management interfaces and consoles should be password protected and the password complexity should be in accordance with the current organizational policy. Examine the network diagram and wireless devices to ensure they all require the use of passwords and the passwords are i… (§ 3.1 (WIR0330), § 4.2 (WIR0330), § 4.4 (WIR0330), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • § 2.2 (WIR1250) Implement wireless e-mail servers and handheld configuration settings. § 3.4 If CAC authentication is not available for Administrative passwords • Passwords will be set to a minimum of 9 characters. • Passwords will contain a mix of at least two lowercase letters, two uppercase… (§ 2.2 (WIR1250), § 3.4, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • Good leverages Active Directory for Roles Based Administration so a Good SA would authenticate to the Good Management Console using their AD Account. NOTE: CAC authentication should be used for all Administrative passwords, if this capability is available. When not available, CTO 07-15, 11 Dec 2007 … (§ 3.3.3, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • § 2.2 (WIR2250) All required wireless e-mail server and device configuration should be implemented. § 3.4.5 If CAC authentication is not available for Administrative passwords, the passwords for all Administrative accounts will be 15 characters in length, if supported. Otherwise the password must … (§ 2.2 (WIR2250), § 3.4.5, App B.3 Row "Minimum Password Length", App B.3 Row "Admin Password", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • Password complexity is required for a MFD or printer. (MFD02.001, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (IA.2.078, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (IA.2.078, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (IA.2.078, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (IA.2.078, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (IA.L2-3.5.7 Password Complexity, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Passwords must be at least 8 characters and case sensitive; be a mix of lower case letters, upper case letters, numbers, and special characters; and have at least one of each of these. (IAIA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Passwords must be at least 8 characters and case sensitive; be a mix of lower case letters, upper case letters, numbers, and special characters; and have at least one of each of these. (IAIA-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system must have a process that validates the password is sufficiently strong. (IAIA-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • § 8-607.d If a user is allowed to specify his/her password, automated tools can be used to ensure the password is strong. (§ 8-607.d, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The agency shall verify that all access points have strong administrative passwords. (§ 5.5.7.1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Passwords shall be a minimum of twenty (20) characters in length with no additional complexity requirements imposed (e.g., ASCII characters, emojis, all keyboard characters, and spaces will be acceptable). (§ 5.6.2.1.1.2 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Ensure that all APs have strong administrative passwords and ensure that all passwords are changed in accordance with Section 5.6.2.1. (§ 5.13.1.1 ¶ 2(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Passwords shall be a minimum of twenty (20) characters in length with no additional complexity requirements imposed (e.g., ASCII characters, emojis, all keyboard characters, and spaces will be acceptable). (§ 5.6.2.1.1.2 ¶ 1 1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Access controls include password complexity and limits to password attempts and reuse. (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 7, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Whether identification and authentication schemes include requiring unique logon identifiers with strong password requirements. (App A Tier 2 Objectives and Procedures C.2 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the adequacy of customer PIN selection criteria, focusing on whether the institution discourages or prevents customers from using common words, social security numbers, sequences of numbers, or words or numbers that can easily identify the customer. (Exam Tier II Obj 2.10, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Obtain and review policies and procedures regarding wire transfer password controls to determine if they are adequate. Consider whether: ▪ Management requires operators to change their passwords at reasonable intervals. ▪ Management controls access to master password files ensuring that no one h… (Exam Tier II Obj 9.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Passwords shall be at least 6 characters in length and contain both alphabetic and numeric characters. (AC-3.2(A), Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [FedRAMP Assignment: complexity as identified in IA-5 (1) Control Enhancement Part (a)]. (IA-5(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. (IA-5(4) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a) Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., FedRAMP Security Controls High Baseline, Version 5)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., FedRAMP Security Controls High Baseline, Version 5)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1(h), FedRAMP Security Controls High Baseline, Version 5)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., FedRAMP Security Controls Low Baseline, Version 5)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., FedRAMP Security Controls Low Baseline, Version 5)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1(h), FedRAMP Security Controls Low Baseline, Version 5)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1(h), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Enforce at least one (1) character change when new passwords are selected for use. (IA-5 (CE-1) h.3., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Enforce complex sequences (e.g., 73961548 – no repeating digits and no sequential digits); (IA-5 (CE-1) ¶ 3 b. (IRS-Defined):, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4 c., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Enforce minimum password complexity to contain a combination of numbers, uppercase letters, lowercase letters, and special characters. (IA-5 (CE-1) h.2., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5 ¶ 1 c., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Passwords must have a combination of alphabetic, numeric, and special characters. (Exhibit 8 Control 01, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate. Technical Mechanisms: via /etc/security/user Parameters: enforce/not enforce References: 10.8.10.5.1 (2) a) (CCE-5443-7, Common Configuration Enumeration List, Combined XML: AIX 5.3, 5.20130214)
  • Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate. Technical Mechanisms: via /etc/security/user Parameters: enforce/not enforce References: 10.8.10.5.1 (2) a) (CCE-6172-1, Common Configuration Enumeration List, Combined XML: HP-UX 11.23, 5.20130214)
  • The 'Password must meet complexity requirements' policy should be set correctly. Technical Mechanisms: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements (2) WMI: Namespace = root\rsop\computer; Class = RSO… (CCE-10901-7, Common Configuration Enumeration List, Combined XML: Microsoft Windows Server 2008 R2, 5.20130214)
  • Password policy should enforce the correct amount of special characters Technical Mechanisms: via PAM Parameters: number of special characters References: 10.8.10.5.1 (2) a) (CCE-6448-5, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 4, 5.20130214)
  • Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate. Technical Mechanisms: via PAM Parameters: enforce/not enforce References: 10.8.10.5.1 (2) a) (CCE-6417-0, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 4, 5.20130214)
  • The strong password WHITESPACE value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: yes / no References: Section: 7.4,Value:yes (CCE-3856-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password MINDIFF value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: numeral References: Section: 7.4,Value:3 (CCE-4832-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password DICTIONDBDIR value should be configured correctly Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: path References: Section: 7.4,Value:/var/passwd (CCE-4402-4, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password DICTIONLIST value should be configured correctly Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: path References: Section: 7.4,Value:=/usr/share/lib/dict/words (CCE-4670-6, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password NAMECHECK value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: yes/no References: Section: 7.4,Value:yes (CCE-4770-4, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password MINALPHA value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: numeral References: Section: 7.4,Value:2 (CCE-4572-4, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password MINUPPER value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: numeral References: Section: 7.4,Value:1 (CCE-4480-0, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password MINLOWER value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: numeral References: Section: 7.4,Value:1 (CCE-4731-6, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password MINNONALPHA value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: numeral References: Section: 7.4,Value:1 (CCE-4753-0, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The strong password MAXREPEATS value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: numeral References: Section: 7.4,Value:0 (CCE-4775-3, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate. Technical Mechanisms: via /etc/default/passwd Parameters: enforce/not enforce References: 10.8.10.5.1 (2) a) (CCE-6228-1, Common Configuration Enumeration List, Combined XML: Sun Solaris 8, 5.20130214)
  • Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate. Technical Mechanisms: via /etc/default/passwd Parameters: enforce/not enforce References: 10.8.10.5.1 (2) a) (CCE-7049-0, Common Configuration Enumeration List, Combined XML: Sun Solaris 9, 5.20130214)
  • The "password must meet complexity requirments" policy should be set correctly. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) enabled/disabled References: CCE-633 Password Complexity: Enabled EnPasFlt Check (CCE-3042-9, Common Configuration Enumeration List, Combined XML: Windows 2000, 5.20130214)
  • The "password must meet complexity requirments" policy should be set correctly. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) enabled/disabled References: CCE-633 Table 2.7 Password must meet complexity requirements: Enabled (Legacy Client, Enterprise Client… (CCE-3442-1, Common Configuration Enumeration List, Combined XML: Windows Server 2003, 5.20130214)
  • The "Password must meet complexity requirements" setting should be configured correctly. Technical Mechanisms: (1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies) Parameters: (1) enabled/disabled References:… (CCE-2126-1, Common Configuration Enumeration List, Combined XML: Windows Server 2008, 5.20130214)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1h., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1h., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1h., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Other verifier compromise resistant secrets SHALL use approved hash algorithms and the underlying secrets SHALL have at least the minimum security strength specified in the latest revision of SP 800-131A (112 bits as of the date of this publication). Secrets (e.g., memorized secrets) having lower co… (5.2.7 ¶ 4, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL … (5.1.1.2 ¶ 9, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • This section discusses how password composition affects the password security of the system and what the organization should think aout when deciding on how passwords are composed to prevent passwords from eing easily compromised. (§ 3.2.1, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • The cardholder SHALL be guided in selecting a strong PIN value. The PIN SHALL be a minimum of six digits in length and SHOULD NOT be easily guessable, individually identifiable (e.g., part of a Social Security Number or phone number), or commonly used (e.g., 000000, 123456). (4.3.1 ¶ 2, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • This setting makes it more difficult to crack passwords. To make passwords more complex, the password should consist of a combination of uppercase letters, lowercase letters, numbers, and special characters. This setting should be Enabled. (§ 6.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1) ¶ 1(a) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1) ¶ 1(a) Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Passwords should have appropriate length and complexity for the required security. In particular, they should not be able to be found in a dictionary or contain predictable sequences of numbers or letters. (§ 6.2.7.1 ICS-specific Recommendations and Guidance ¶ 5 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The composition of passwords used for PDAs and cell phones should follow the organization's standards. (§ 4.1.2, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Enforce the following composition and complexity rules for passwords: [Assignment: organization-defined composition and complexity rules]. (03.05.07 f., NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
  • The password policy must state the complexity rules for passwords, based on the criticality level of the system being accessed. (SG.AC-21 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (3.5.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (3.5.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Enforce a minimum password complexity and change of characters when new passwords are created. (3.5.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The Information System should enforce a minimum Password Complexity, for password-based authentication. (App F § IA-5(1)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces minimum password complexity of {organizationally documented requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for e… (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces minimum password complexity of {organizationally documented requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for e… (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces minimum password complexity of {organizationally documented requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for e… (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces minimum password complexity of {organizationally documented requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for e… (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. (IA-5(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (IA-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1(h), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. (IA-5(1) ¶ 1(h), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • This setting will check all new passwords to ensure they meet the requirements for password complexity. This setting is Disabled by default. The Enable Password Complexity setting should be Enabled. (Pg 17, NSA Guide to Security Microsoft Windows XP)
  • Ensure database password complexity standards meet current minimum requirements for length and composition where supported by the DBMS. (DATABASE SECURITY IDENTIFICATION AND AUTHENTICATION: Password Attributes: ¶ 4, Guideline 661G1: Application Security, 661G1-01)
  • Configure or test database account passwords to prevent use of easily guessed or discovered values. (DATABASE SECURITY IDENTIFICATION AND AUTHENTICATION: Password Attributes: ¶ 8, Guideline 661G1: Application Security, 661G1-01)
  • Remove or disable any unused user or system accounts, rename default admin accounts, and apply complex password rules to all user accounts (in accordance with State password standards) (FIREWALL SECURITY FIREWALL PLATFORM OPERATING SYSTEM CONFIGURATION: ¶ 3 Bullet 3, Guideline 662G1: Systems Security, 662G1-00)
  • Enabled (Table 1 Column 2 Row 7, Standard 630S1: Authenticator Management, 630S1-02)
  • Enforces minimum password complexity of [TX-RAMP Assignment: case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters]; (IA-5(1)(a), TX-RAMP Security Controls Baseline Level 1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., TX-RAMP Security Controls Baseline Level 1)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., TX-RAMP Security Controls Baseline Level 1)
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use; (IA-5c., TX-RAMP Security Controls Baseline Level 2)
  • Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; (MA-4c., TX-RAMP Security Controls Baseline Level 2)
  • The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. (IA-5(4) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Enforces minimum password complexity of [TX-RAMP Assignment: case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters]; (IA-5(1)(a), TX-RAMP Security Controls Baseline Level 2)