IA-5 (1) - Password-based Authentication
Control requirements
The information system, for password-based authentication:
- IA-5 (1) (a)
- Enforces minimum password complexity of [IBM Assignment: minimum length of 8 characters, cannot be a derivative of the username, and must have a combination of alpha and numeric characters];
- IA-5 (1) (b)
- Enforces at least the following number of changed characters when new passwords are created: [IBM Assignment: at least one (1)];
- IA-5 (1) (c)
- Stores and transmits only cryptographically-protected passwords;
- IA-5 (1) (d)
- Enforces password minimum and maximum lifetime restrictions of [IBM Assignment: require passwords to be changed every 90 days, temporary passwords for web applications only valid for 24 hours];
- IA-5 (1) (e)
- Prohibits password reuse for [IBM Assignment: twenty-four (24)] generations; and
- IA-5 (1) (f)
- Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Implementation guidance
See the resources that follow to learn more about how to implement this control.
NIST supplemental guidance
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.