3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created

By wnoble2005@gmail.com (William Noble) 📅 2024-03-01

NIST 800-171 control 3.5.7 helps secure passwords by requiring a mix of character types (uppercase, lowercase, numbers, symbols) and a minimum length. It also enforces changes when creating new passwords to prevent users from simply modifying the old one. IT admins are responsible for implementing this. [NIST 800-171] translates to using password complexity meters and mandating regular password changes.

This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

Benefits:

Stronger Defense: Enforcing minimum complexity with a mix of character types (uppercase, lowercase, numbers, symbols) makes passwords harder to crack through brute-force attacks, where attackers systematically try every possible combination.

Reduced Dictionary Attacks: These attacks rely on common words or phrases. Complexity requirements make passwords less susceptible by forcing them to be more than just dictionary terms.

Better Password Habits: By requiring changes from previous passwords, users are discouraged from reusing passwords across different accounts. This is a common practice that can be risky if one account is compromised.

Accountability:

Senior Management: They set the overall security direction and allocate resources for implementing password complexity requirements. They ensure the IT security team has the budget and authority to enforce these controls.

IT Security Team: They design and implement the password policy, including minimum complexity and character change rules. They configure systems to enforce these rules and educate users on password best practices.

System Owners: They work with the IT security team to ensure password policies are implemented for their specific systems. They may also raise concerns about usability or practicality of password requirements.

Individual Users: They are responsible for creating strong passwords following the established complexity rules. They should avoid password reuse and report any suspicious password reset requests.

Implementation:

Policy Configuration: Set a password policy that enforces complexity. This typically includes minimum length, character type requirements, and limitations on repeated characters. Many systems allow for policy configuration.

Password Changes: Enforce periodic password resets to improve security further. The recommended timing can vary based on your organization's risk tolerance.

User Education: Educate your users on strong password practices. Emphasize the importance of unique passwords and avoiding reuse. Password managers can be a great tool to assist users in creating and managing strong, unique passwords.

Go to docs.google.com

☰

Back

About "3.5.7 Enforce a minimum p...eated" 🡃

Category:Cybersecurity Maturity Model
Family:Identification and Authentication (AC 3.5)
Type:Derived Security Requirements

#CybersecurityMaturityModel #DerivedSecurityRequirements

⬅ Back to 3.5 IDENTIFICATION AND AUTHENTICATION

3.5 IDENTIFICATION AND AUTHENTICATION

3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created

Benefits:

Accountability:

Implementation:

More on q4q.com

Q4Q Technical Solutions