A Password Policy mandating compliance with industry standards for password creation and use SHALL be implemented and SHALL be enforced on all Identity & Access Management platforms in use in the business.

Passwords have long been the default method for authenticating users to systems. The username and password combo is still the most common means of authenticating subjects to objects. A subject simply creates a memorable string of characters and provides it to a system during enrollment. From then on, the user will enter that same string of characters whenever asked by the system.

Because passwords have been in use for so long, adversaries have devised numerous schemes to compromise them and exploit them for nefarious purposes. To combat this, users are strongly encouraged to create increasingly stronger passwords. What constitutes a “strong password” can be very confusing to users. To enforce standard requirements for strong passwords, businesses need to draft a password policy that clearly explains expectations for user password creation and use. The policy must be distributed to all employees, and additional training and assistance must be provided if needed. Businesses also need to import the policy into their information systems to enforce the standards specified in the policy. This may include configuring the settings in a domain Group Policy Management console, or an individual system's Local Group Policy. The policy must also be configured on company cloud resources and Identity & Access Management (IAM) platforms. 

The standard requirements for user account passwords are generally listed as follows: 

  • Minimum password length of 12 to 15 characters. 
  • Enable Password Complexity. 
  • Set a maximum password age of 60 to 90 days, with 30 days preferred for high-impact resources. 
  • Enforce password history.
  • Enforce a minimum password age of at least 15 days. 

Recently, NIST SP 800-63-4 presented a new standard for password policies that completely challenged all the previously accepted password standards. The NIST revisions made the following major changes:

  • Do not require password changes unless an account is believed to be compromised. 
  • Enforce Multifactor Authentication (MFA) for all accounts. 
  • Set a minimum password length of 8 characters without any other complexity requirements. 
  • Use password filtering to block the use of insecure passwords.
    • No passwords which have been found in mainstream password dumps and breaches.
    • No passwords that use only dictionary words.
    • No passwords made of repetitive or sequential characters like abcdefg123456.
    • No passwords that contain direct references or clues to the user’s identity.

These recent standards also emphasize using passphrases as a method of implementing strong passwords. A passphrase is an easily remembered phrase that serves as a mnemonic for complex passwords. It is up to the business itself to decide on which password standard is the best fit for its environment.