IA-5(1) Authenticator Management | Password-based Authentication

Description

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

Applicability

The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented.

Implementation

For password-based authentication:

  1. Maintain a list of commonly-used, expected, or compromised passwords and update the list annually and when organizational passwords are suspected to have been compromised directly or indirectly;
  2. Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
  3. Transmit passwords only over cryptographically-protected channels;
  4. Store passwords using an approved salted key derivation function, preferably using a keyed hash;
  5. Require immediate selection of a new password upon account recovery;
  6. Allow user selection of long passwords and passphrases, including spaces and all printable characters;
  7. Employ automated tools to assist the user in selecting strong password authenticators; and
  8. Enforce the following composition and complexity rules:
    1. Minimum length:
      1. Admin accounts – 12 characters
      2. Standard accounts – 8 characters
    2. Must contain 1 letter
    3. Must contain 1 number
    4. Must contain 1 symbol
    5. Must not contain the user’s name
    6. Must not contain the user’s IslandID

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events