IA-5.1: Password-based Authentication

Statement

• For password-based authentication:

  • (a)

    Maintain a list of commonly-used, expected, or compromised passwords and update the list frequency and when organizational passwords are suspected to have been compromised directly or indirectly;

  • (b)

    Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);

  • (c)

    Transmit passwords only over cryptographically-protected channels;

  • (d)

    Store passwords using an approved salted key derivation function, preferably using a keyed hash;

  • (e)

    Require immediate selection of a new password upon account recovery;

  • (f)

    Allow user selection of long passwords and passphrases, including spaces and all printable characters;

  • (g)

    Employ automated tools to assist the user in selecting strong password authenticators; and

  • (h)

    Enforce the following composition and complexity rules: composition and complexity rules .

  • • Requirement:

      Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

    • (h) Requirement:

      For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

      For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

    • Guidance:

      Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).