IA.L2-3.5.7—Password Complexity
Level 2
800-171: 3.5.7
>Control Description
Enforce a minimum password complexity and change of characters when new passwords are created.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your password complexity policy?
- •What complexity requirements have you established (length, character types, etc.)?
- •How did you determine appropriate complexity requirements?
- •How do you balance security with usability in password requirements?
- •Who approves password policy settings?
Technical Implementation:
- •What technical mechanisms enforce password complexity?
- •How is password policy configured in authentication systems?
- •What password filters reject non-compliant passwords?
- •How do you enforce complexity across different system types?
- •What tools verify password complexity settings are properly configured?
Evidence & Documentation:
- •What authentication policy documentation can you provide?
- •What password policy settings and configurations can you show?
- •What MFA enrollment and usage reports demonstrate compliance?
- •What account management documentation shows account lifecycle?
- •What authentication logs demonstrate enforcement?
- •What screenshots show authentication configurations?
Ask AI
Configure your API key to use AI features.