IA-5: Authenticator Management

NIST Baseline:  Low  

DIR Required By:  07/20/2023 

Review Date:  07/10/2024 

• Passwords and other authenticators must be treated as confidential information in accordance with Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security:  
  • Users are prohibited from sharing their password or authenticator with any other person.
  • If the confidentiality of a password or authenticator is in doubt, it must be changed immediately.  
• Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator. 
• Initial authenticator content for any authenticators issued by the university is completed in accordance with established procedures. 
• Changing default or assigned passwords prior to first use.  
• Passwords must be protected both in storage and in transit.  
  • When passwords are stored, they must be stored as a hash encryption as specified by Control IA-7, Cryptographic Module Authentication.  
  • Where feasible, password hashes should be salted.  
  • Passwords must be encrypted when transmitted.  
  • Temporary passwords that are transmitted for the sole purpose of establishing a new password or changing a password can be excepted from the requirement to encrypt if it is a one-time transmission and the user must also change the password upon first logon.  
• Users will be directed to use a self-service password reset when they need to change their password. If a user is not able to perform a self-service reset, their identity must be verified before the password is changed.  
  • The password must be changed to a temporary password; and  
  • The user must change the temporary password at first logon (where applicable).  
• When automated password generation programs are utilized:  
  • Non-predictable methods of generation must be used;  
  • Where feasible, systems that auto-generate passwords for initial account establishment must force a password change upon entry into the system; and  
  • Where feasible, password management and automated password generation systems must have the capability to maintain auditable transaction logs containing information such as:  
    • Time and date of password change, expiration, and administrative reset;  
    • Type of action performed; and  
    • Source system (e.g. IP and/or MAC address) that originated the change request.  
• If a password or other authenticator is assumed to be compromised, the event must be reported as a security incident following Control IR-6, Incident Reporting.  
• Where feasible, the following password complexity requirements will be implemented:  
  • The password must be 8 characters or more.  
  • The password may not be reused from the previous 10 passwords.  
  • Privileged accounts must have additional complexity.  
  • Any additional password complexity requirements as defined by the applicable Group Policy and Tarleton Office of Innovative Technology Services (OITS) – Password Authentication Standards; in addition to any applicable internal procedures referencing password complexity requirements.   
• Where feasible, user selected passwords must be checked to ensure that they meet complexity requirements by a password audit system.  
• The information resource custodian responsible for a group/role account (e.g. a service account) will ensure that the password or authenticator is changed immediately when a user’s authorization to use the account is revoked.  

---

References/Additional Resources

TAMUS Regulation 29.01.03, Information Security

Tarleton OITS – Password Authentication Standards