| TD: Defined Minimum Password Complexity

Defined Minimum Password Complexity, v1.0

Defines conformance and assessment criteria for compliance with minimum security requirements for defined minimum password complexity as related to overall identification and authentication requirements.

If an assessment step references organization-defined elements (E.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), corresponding citations/excerpts must be provided to confirm that the organization has established and documented these values and that they apply as referenced in the conformance criteria.

Similarly, if a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.

The assessment step shall not be marked as satisfied without this evidence.

Assessment Steps (11)

1 Passwords Case Sensitive (PasswordsCaseSensitive) For password-based authentication, does the information system enforce minimum password complexity of <organization-defined requirements for case sensitivity>? Artifacts A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2 Provide the value (true/false) as to whether passwords are case sensitive. Parameter Passwords Case Sensitive^required BOOLEAN : Specify if passwords must be case sensitive (TRUE=Yes)
2 Minimum Password Length (MinimumPasswordLength) For password-based authentication, does the information system enforce minimum password complexity for the number of characters? If yes, you may specify the minimum number in the parameter associated with this step. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of characters required Parameter Minimum Length NUMBER : Provide the minimum required character length for passwords.
3 Minimum Upper Case (MinimumUpperCase) For password-based authentication, does the information system enforce minimum password complexity for the minimum number of upper-case letters? If yes, you may specify the minimum number in the parameter associated with this step. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of upper-case characters required Parameter Minimum Upper Case NUMBER : Provide the minimum number of upper-case characters passwords must contain.
4 Minimum Lower Case (MinimumLowerCase) For password-based authentication, does the information system enforce minimum password complexity for the minimum number of lower-case letters? If yes, you may specify the minimum number in the parameter associated with this step. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of lower-case characters required Parameter Minimum Lower Case NUMBER : Provide the minimum number of lower-case characters passwords must contain.
5 Minimum Numeric Characters (MinimumNumericCharacters) For password-based authentication, does the information system enforce minimum password complexity for the minimum number of numeric characters? If yes, you may specify the minimum number in the parameter associated with this step. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of numeric characters required Parameter Minimum Numeral Characters NUMBER : Provide the minimum number of numeric characters passwords must contain.
6 Minimum Special Characters (MinimumSpecialCharacters) For password-based authentication, does the information system enforce minimum password complexity for the minimum number of special characters? If yes, you may specify the minimum number in the parameter associated with this step. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of special characters required Parameter Minimum Special Characters NUMBER : Provide the minimum number of special characters passwords must contain.
7 Dictionary Check (DictionaryCheck) For password-based authentication, does the information system enforce minimum password complexity by requiring passwords pass a dictionary check? Artifacts A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2 Provide the value (true/false) as to whether a dictionary check is required. Parameter Not A Dictionary Word^required BOOLEAN : Specify if passwords must NOT be dictionary words. (TRUE=Dictionary words prohibited)
8 No Proper Names (NoProperNames) For password-based authentication, does the information system enforce minimum password complexity by ensuring that no proper names are permitted? Artifacts A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2 Provide the value (true/false) as to whether proper names are prohibited. Parameter No Proper Names^required BOOLEAN : Specify if passwords must NOT be proper names. (TRUE=Proper names prohibited)
9 Not Same As UserID (NotSameAsUserID) For password-based authentication, does the information system enforce minimum password complexity by ensuring that they are not the same as the User ID? Artifacts A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2 Provide the value (true/false) as to whether passwords matching UserIDs are prohibited. Parameter Not Same As User ID^required BOOLEAN : Specify if passwords must NOT be the same as UserIDs. (TRUE=User IDs as passwords prohibited)
10 No Repeating Characters (NoRepeatingCharacters) For password-based authentication, does the information system enforce minimum password complexity by ensuring there are no repeating characters or digits (i.e., 112233, AAbbccDD)? Artifacts A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2 Provide the value (true/false) as to whether repeating characters are prohibited. Parameter Characters Do Not Repeat^required BOOLEAN : Specify if passwords must NOT contain repeating characters. (TRUE=Repeating characters prohibited)
11 No Sequential Patterns (NoSequentialPatterns) For password-based authentication, does the information system enforce minimum password complexity by ensuring there are no sequential characters or digits (i.e., 12345, ABCDE)? Artifacts A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2 Provide the value (true/false) as to whether sequential characters are prohibited. Parameter No Sequential Patterns^required BOOLEAN : Specify if passwords must NOT contain sequential patterns. (TRUE=Sequential patterns prohibited)

If conformance criteria reference organization-defined elements (e.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), these values must be defined and documented by the organization.

Similarly, if the criteria specify a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.

Conformance Criteria (3)

C1 For password-based authentication, the information system must enforce minimum password complexity of <organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type>. Citations SP800-53R4 Appendix F, IA-5 (1) CJIS-SP-V5-4 Section 5.6.2.1.1. CJIS-SP-V5-4 Section 5.6.2.1.2.
C2 5.6.2.1.1 Password Agencies shall follow the secure password attributes, below, to authenticate an individual's unique ID. Passwords shall: 1. Be a minimum length of eight (8) characters on all systems. 2. Not be a dictionary word or proper name. 3. Not be the same as the Userid. 4. Expire within a maximum of 90 calendar days. 5. Not be identical to the previous ten (10) passwords. 6. Not be transmitted in the clear outside the secure location. 7. Not be displayed when entered.
C3 5.6.2.1.2 Personal Identification Number (PIN) When agencies utilize a PIN in conjunction with a certificate or a token (e.g. key fob with rolling numbers) for the purpose of advanced authentication, agencies shall follow the PIN attributes described below. 1. Be a minimum of six (6) digits 2. Have no repeating digits (i.e., 112233) 3. Have no sequential patterns (i.e., 123456) 4. Not be the same as the Userid. 5. Expire within a maximum of 365 calendar days. a. If a PIN is used to access a soft certificate which is the second factor of authentication, AND the first factor is a password that complies with the requirements in Section 5.6.2.1.1, then the 365 day expiration requirement can be waived by the CSO. 6. Not be identical to the previous three (3) PINs. 7. Not be transmitted in the clear outside the secure location. 8. Not be displayed when entered.

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://artifacts.trustmarkinitiative.org/lib/tds/defined-minimum-password-complexity/1.0/

Publication Date

2018-10-24

Issuing Organization

Trustmark Initiative (https://trustmarkinitiative.org/) View Contact

Trustmark Support

help@trustmarkinitiative.org

555-555-5555

No Mailing Address

Keywords

Identification and Authentication, Security, Information Assurance, NIST, 800-53

Issuance Criteria

not na(PasswordsCaseSensitive) and not na(MinimumPasswordLength) and not na(MinimumUpperCase) and not na(MinimumLowerCase) and not na(MinimumNumericCharacters) and not na(MinimumSpecialCharacters) and not na(DictionaryCheck) and not na(NoRepeatingCharacters) and not na(NoSequentialPatterns) and not na(NoProperNames) and not na(NotSameAsUserID)

Target Stakeholder

Organizations that are interested in implementing or making use of digital information systems in a manner that complies with widely accepted information security standards and practices such as NIST Special Publication 800-53.

Target Recipient

Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with widely accepted information security standards and practices such as NIST Special Publication 800-53.

Target Relying Party

Organizations and individuals that require their trusted partners' computer and information systems to comply with widely accepted information security standards and practices such as NIST Special Publication 800-53.

Target Provider

Organizations that audit or evaluate other organizations for compliance with widely accepted information security standards and practices such as NIST Special Publication 800-53.

Provider Eligibility Criteria

Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.

Assessor Qualifications

Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.

Trustmark Revocation Criteria

For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.

Extension Description

This Trustmark Definition requires no extension data.

Legal Notice

This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (2)

CJIS-SP-V5-4	Criminal Justice Information Services (CJIS) Security Policy Version 5.4, 10/06/2015, CJISD-ITS-DOC-08140-5.4
SP800-53R4	NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Includes updates as of 01-15-2014). Available at http://dx.doi.org/10.6028/NIST.SP.800-53r4.

Terms (31)

Term Name	Abbreviations	Definition
Accreditation		The official management decision given by a senior organization official to authorize operation of an information system and to explicitly accept the risk to organization operations (including mission, functions, image, or reputation), organization assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Authentication		Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Authorizing Official		Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations (including mission, functions, image, or reputation), organization assets, or individuals. Synonymous with Accreditation Authority.
Availability		Ensuring timely and reliable access to and use of information.
Certification		A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Confidentiality		Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Environment		Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system.
Incident		An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Information		An instance of an information type; data.
Information Security		The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information System		A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Information Technology		Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the organization. For purposes of the preceding sentence, equipment is used by an organization if the equipment is used by the organization directly or is used by a contractor under a contract with the organization which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
Integrity		Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
Management Controls		The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.
Media		Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.
Organization		An organized body of people with a particular purpose, especially a business, society, association, government agency, etc.
Potential Impact		The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Records		All books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an organization in connection with the transaction of business and preserved or appropriate for preservation by that organization or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities such as legal requirements or because of the informational value of the data in them.
Risk		The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Management		The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.
Safeguards		Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Sanitization		Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs.
Security Category		The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.
Security Controls		The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Security Plan		See System Security Plan.
Security Requirements		Requirements levied on an information system that are derived from applicable laws, orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
System		See information system.
System Security Plan		Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
Threat		Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.
User		Individual or (system) process authorized to access an information system.
Vulnerability		Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Also available as XML or JSON