IA.L2-3.5.10—Cryptographically-Protected Passwords
Level 2
800-171: 3.5.10
>Control Description
Store and transmit only cryptographically-protected passwords.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for password storage and transmission?
- •What cryptographic standards do you use for password protection?
- •Who is responsible for ensuring passwords are cryptographically protected?
- •How do you verify that passwords are never stored or transmitted in clear text?
Technical Implementation:
- •How are passwords hashed for storage (bcrypt, PBKDF2)?
- •What encryption protects passwords in transit (TLS)?
- •What mechanisms ensure passwords are never stored in clear text?
- •How do you verify password storage and transmission is cryptographically protected?
- •What hashing algorithms are used for password protection?
Evidence & Documentation:
- •What authentication policy documentation can you provide?
- •What password policy settings and configurations can you show?
- •What MFA enrollment and usage reports demonstrate compliance?
- •What account management documentation shows account lifecycle?
- •What authentication logs demonstrate enforcement?
- •What screenshots show authentication configurations?
Ask AI
Configure your API key to use AI features.