IA-5(1)—Authenticator Management | Password-based Authentication
>Control Description
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list ⚙organization-defined frequency and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: ⚙organization-defined composition and complexity rules.
>Related Controls
Ask AI
Configure your API key to use AI features.