NIST 800-171 • LEVEL 2 • IDENTIFICATION AND AUTHENTICATION
3.5.7 — Password Management
Maintain a list of commonly-used, expected, or compromised passwords, and update the list {{ insert: param, A.03.05.07.ODP.01 }} and when organizational passwords are suspected to have been compromised. Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords. Transmit passwords only over cryptographically protected channels. Store passwords in a cryptographically protected form. Select a new password upon first use after account recovery. Enforce the following composition and complexity rules for passwords: {{ insert: param, A.03.05.07.ODP.02 }}.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- a list of commonly used, expected, or compromised passwords is maintained.
- a list of commonly used, expected, or compromised passwords is updated {{ insert: param, A.03.05.07.ODP.01 }}.
- a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised.
- passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users.
- passwords are only transmitted over cryptographically protected channels.
- passwords are stored in a cryptographically protected form.
- a new password is selected upon first use after account recovery.
- the following composition and complexity rules for passwords are enforced: {{ insert: param, A.03.05.07.ODP.02 }}.
Practitioner Notes
Password management is more than just "make it 14 characters." You need to check passwords against known-compromised lists, transmit them only over encrypted channels, store them hashed (never in plain text), and force users to change temporary passwords immediately.
The days of requiring password changes every 60 days are over — modern guidance says use strong, unique passwords and check them against breach databases instead.
Example 1: In Entra ID, enable Password Protection under Protection > Authentication Methods > Password Protection. Turn on "Enforce custom banned password list" and add company-specific terms. Also enable "Enable password protection on Windows Server Active Directory" to extend this to on-prem AD. This checks passwords against Microsoft's global banned list plus your custom list at every password change.
Example 2: Configure a Group Policy for password complexity under Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy. Set minimum password length to 14 characters, enable "Password must meet complexity requirements," and set "Minimum password age" to 1 day (to prevent rapid cycling). Pair this with a tool like Specops Password Policy that checks new passwords against the Have I Been Pwned breach database in real time.