Skip to content

5.04-Password Requirements

Task Password_Requirements: Define and implement best password policies and practices

Conditions

Given a network, implement stronger password policies

Standards

Upon moving into the Recovery Phase, the IR Team should recommend stronger password policies

  • Remove Periodic Password Change Requirements
  • Use A Password Manager
  • Recommend the use of a secure Password Manager (i.e. KeePass, LastPass, etc.)
  • Minimum Password Length
  • Ensure password length of at least 8 characters in accordance with NIST standards.
  • Encourage the use of passphrases (a string if words that makes a password long and memorable)
  • Implement Screening of New Passwords
  • When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

Passwords obtained from previous breach corpuses. * Dictionary words
* Repetitive or sequential characters (e.g. aaaaaa, 1234abcd)
* Context-specific words, such as the name of the service, the username, and derivatives thereof

End State

The IR Team provides secure password policies to implement

Notes

N/A

References

NIST Special Publication 800-63B

Revision History