IA-5(1): Authenticator Management – Password Based Authentication
NIST Baseline: Low
DIR Required By: 11/18/2024
Review Date: 07/10/2024
- For password-based authentication:
- Maintain a list of commonly-used, expected, or compromised passwords and update the list on a regular basis and when organizational passwords are suspected to have been compromised directly or indirectly;
- Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords;
- Transmit passwords only over cryptographically-protected channels;
- Store passwords using an approved salted key derivation function, preferably using a keyed hash;
- Require immediate selection of a new password upon account recovery;
- Allow user selection of long passwords and passphrases, including spaces and all printable characters;
- Employ automated tools to assist the user in selecting strong password authenticators; and
- Where feasible, the following password composition and complexity requirements will be implemented:
- The password must be 8 characters or more.
- The password may not be reused from the previous 10 passwords.
- Privileged accounts must have additional complexity.
- Any additional password complexity requirements as defined by the applicable Group Policy and Tarleton Office of Innovative Technology Services (OITS) – Password Authentication Standards; in addition to any applicable internal procedures referencing password complexity requirements.