Homexnetd.com
xnetd.com

3.5 IDENTIFICATION AND AUTHENTICATION

3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password | NIST 800-171 control 3.5.9 promotes stronger passwords by requiring temporary passwords to be immediately changed upon logging in. This reduces the risk of someone unauthorized using the temporary password if it's intercepted. Users are accountable for creating a strong permanent password. Implementing this control involves enforcing temporary passwords and requiring their change upon first login.

3.5 IDENTIFICATION AND AUTHENTICATION
Back to "3.5 IDENTIFICATION AND AUTHENTICATION"
3.5 IDENTIFICATION AND AUTHENTICATION
🖨️

3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password

By wnoble2005@gmail.com (William Noble) 📅 2024-03-01
NIST 800-171 control 3.5.9 promotes stronger passwords by requiring temporary passwords to be immediately changed upon logging in. This reduces the risk of someone unauthorized using the temporary password if it's intercepted. Users are accountable for creating a strong permanent password. Implementing this control involves enforcing temporary passwords and requiring their change upon first login.



Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.

Benefits:

Enhanced Security: Temporary passwords are typically random and complex, making them harder to guess or crack compared to permanent passwords that users might reuse across systems. This reduces the risk of unauthorized access if a temporary password is intercepted.

Reduced Insider Threat: By requiring an immediate change to a permanent password, this control mitigates the risk even if a malicious insider gains access to the temporary password.

Accountability:

Senior Management: Sets the overall security posture and allocates resources for implementing 3.5.9. They ensure the IT security team and system owners have the necessary training and tools.

IT Security Team: Implements the technical aspects of 3.5.9. This includes configuring systems to enforce mandatory password changes after temporary logins. They also educate system owners and users on the importance of strong passwords.


System Owners: Responsible for understanding the security requirements for their systems. They work with the IT security team to ensure 3.5.9 is implemented effectively for their systems. This might involve defining password complexity requirements and disabling inactive accounts.

Individual Users: Accountable for following password security practices. This includes creating strong passwords upon prompted change and avoiding password reuse. They should report any suspicious activity related to their temporary passwords.

Implementation:

System Configuration: Configure user accounts to require password changes upon first login. This applies to both new account creation and password resets.

Password Policy Enforcement: Enforce strong password complexity requirements for permanent passwords. This includes minimum password length, a combination of character types (uppercase, lowercase, numbers, symbols), and disallowing password reuse for a certain timeframe.

User Awareness Training: Educate users on the importance of strong passwords. Train them to create unique passwords for each system and avoid common pitfalls like writing passwords down.

Password Management Tools: Consider implementing password managers. These tools can generate and store strong, unique passwords for users, improving overall password hygiene.


Go to docs.google.com

About "3.5.9 Allow temporary pas...sword" 🡃
Category:Cybersecurity Maturity Model
Family:Identification and Authentication (AC 3.5)
Type:Derived Security Requirements
#CybersecurityMaturityModel #DerivedSecurityRequirements
⬅ Back to 3.5 IDENTIFICATION AND AUTHENTICATION

More on q4q.com

Q4Q Technical Solutions

© q4q.com 1999-2024