IA.L2-3.5.8—Password Reuse
Level 2
800-171: 3.5.8
>Control Description
Prohibit password reuse for a specified number of generations.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for password reuse prevention?
- •How many password generations do you prevent from reuse?
- •How did you determine the appropriate password history depth?
- •What is your process for enforcing password history requirements?
Technical Implementation:
- •What mechanisms enforce password history?
- •How many previous passwords are stored and checked?
- •How is password history configured in authentication systems?
- •What technical controls prevent password reuse?
- •How do you verify password history is enforced?
Evidence & Documentation:
- •What authentication policy documentation can you provide?
- •What password policy settings and configurations can you show?
- •What MFA enrollment and usage reports demonstrate compliance?
- •What account management documentation shows account lifecycle?
- •What authentication logs demonstrate enforcement?
- •What screenshots show authentication configurations?
Ask AI
Configure your API key to use AI features.