Defined Minimum Password Complexity, v1.0
Defines conformance and assessment criteria for compliance with minimum security requirements for defined minimum password complexity as related to overall identification and authentication requirements.
If an assessment step references organization-defined elements (E.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), corresponding citations/excerpts must be provided to confirm that the organization has established and documented these values and that they apply as referenced in the conformance criteria.
Similarly, if a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.
The assessment step shall not be marked as satisfied without this evidence.
The assessment step shall not be marked as satisfied without this evidence.
Assessment Steps (11)
1
Passwords Case Sensitive (PasswordsCaseSensitive)
For password-based authentication, does the information system enforce minimum password complexity of <organization-defined requirements for case sensitivity>?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the value (true/false) as to whether passwords are case sensitive.
Parameter
Passwords Case Sensitiverequired
BOOLEAN : Specify if passwords must be case sensitive (TRUE=Yes)
|
2
Minimum Password Length (MinimumPasswordLength)
For password-based authentication, does the information system enforce minimum password complexity for the number of characters? If yes, you may specify the minimum number in the parameter associated with this step.
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of characters required
Parameter
Minimum Length
NUMBER : Provide the minimum required character length for passwords.
|
3
Minimum Upper Case (MinimumUpperCase)
For password-based authentication, does the information system enforce minimum password complexity for the minimum number of upper-case letters? If yes, you may specify the minimum number in the parameter associated with this step.
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of upper-case characters required
Parameter
Minimum Upper Case
NUMBER : Provide the minimum number of upper-case characters passwords must contain.
|
4
Minimum Lower Case (MinimumLowerCase)
For password-based authentication, does the information system enforce minimum password complexity for the minimum number of lower-case letters? If yes, you may specify the minimum number in the parameter associated with this step.
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of lower-case characters required
Parameter
Minimum Lower Case
NUMBER : Provide the minimum number of lower-case characters passwords must contain.
|
5
Minimum Numeric Characters (MinimumNumericCharacters)
For password-based authentication, does the information system enforce minimum password complexity for the minimum number of numeric characters? If yes, you may specify the minimum number in the parameter associated with this step.
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of numeric characters required
Parameter
Minimum Numeral Characters
NUMBER : Provide the minimum number of numeric characters passwords must contain.
|
6
Minimum Special Characters (MinimumSpecialCharacters)
For password-based authentication, does the information system enforce minimum password complexity for the minimum number of special characters? If yes, you may specify the minimum number in the parameter associated with this step.
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. A2: Provide the minimum number of special characters required
Parameter
Minimum Special Characters
NUMBER : Provide the minimum number of special characters passwords must contain.
|
7
Dictionary Check (DictionaryCheck)
For password-based authentication, does the information system enforce minimum password complexity by requiring passwords pass a dictionary check?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the value (true/false) as to whether a dictionary check is required.
Parameter
Not A Dictionary Wordrequired
BOOLEAN : Specify if passwords must NOT be dictionary words. (TRUE=Dictionary words prohibited)
|
8
No Proper Names (NoProperNames)
For password-based authentication, does the information system enforce minimum password complexity by ensuring that no proper names are permitted?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the value (true/false) as to whether proper names are prohibited.
Parameter
No Proper Namesrequired
BOOLEAN : Specify if passwords must NOT be proper names. (TRUE=Proper names prohibited)
|
9
Not Same As UserID (NotSameAsUserID)
For password-based authentication, does the information system enforce minimum password complexity by ensuring that they are not the same as the User ID?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the value (true/false) as to whether passwords matching UserIDs are prohibited.
Parameter
Not Same As User IDrequired
BOOLEAN : Specify if passwords must NOT be the same as UserIDs. (TRUE=User IDs as passwords prohibited)
|
10
No Repeating Characters (NoRepeatingCharacters)
For password-based authentication, does the information system enforce minimum password complexity by ensuring there are no repeating characters or digits (i.e., 112233, AAbbccDD)?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the value (true/false) as to whether repeating characters are prohibited.
Parameter
Characters Do Not Repeatrequired
BOOLEAN : Specify if passwords must NOT contain repeating characters. (TRUE=Repeating characters prohibited)
|
11
No Sequential Patterns (NoSequentialPatterns)
For password-based authentication, does the information system enforce minimum password complexity by ensuring there are no sequential characters or digits (i.e., 12345, ABCDE)?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the value (true/false) as to whether sequential characters are prohibited.
Parameter
No Sequential Patternsrequired
BOOLEAN : Specify if passwords must NOT contain sequential patterns. (TRUE=Sequential patterns prohibited)
|
If conformance criteria reference organization-defined elements (e.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), these values must be defined and documented by the organization.
Similarly, if the criteria specify a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.
Conformance Criteria (3)
C1
For password-based authentication, the information system must enforce minimum password complexity of <organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type>.
Citations
SP800-53R4
Appendix F, IA-5 (1)
CJIS-SP-V5-4
Section 5.6.2.1.1.
CJIS-SP-V5-4
Section 5.6.2.1.2.
|
C2
5.6.2.1.1 Password Agencies shall follow the secure password attributes, below, to authenticate an individual's unique ID. Passwords shall: 1. Be a minimum length of eight (8) characters on all systems. 2. Not be a dictionary word or proper name. 3. Not be the same as the Userid. 4. Expire within a maximum of 90 calendar days. 5. Not be identical to the previous ten (10) passwords. 6. Not be transmitted in the clear outside the secure location. 7. Not be displayed when entered.
|
C3
5.6.2.1.2 Personal Identification Number (PIN) When agencies utilize a PIN in conjunction with a certificate or a token (e.g. key fob with rolling numbers) for the purpose of advanced authentication, agencies shall follow the PIN attributes described below. 1. Be a minimum of six (6) digits 2. Have no repeating digits (i.e., 112233) 3. Have no sequential patterns (i.e., 123456) 4. Not be the same as the Userid. 5. Expire within a maximum of 365 calendar days. a. If a PIN is used to access a soft certificate which is the second factor of authentication, AND the first factor is a password that complies with the requirements in Section 5.6.2.1.1, then the 365 day expiration requirement can be waived by the CSO. 6. Not be identical to the previous three (3) PINs. 7. Not be transmitted in the clear outside the secure location. 8. Not be displayed when entered.
|