NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION
IA-5(1) — Password-based Authentication
For password-based authentication: Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly; Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); Transmit passwords only over cryptographically-protected channels; Store passwords using an approved salted key derivation function, preferably using a keyed hash; Require immediate selection of a new password upon account recovery; Allow user selection of long passwords and passphrases, including spaces and all printable characters; Employ automated tools to assist the user in selecting strong password authenticators; and Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}.
CMMC Practice Mapping
Related Controls
Supplemental Guidance
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.
Practitioner Notes
This enhancement specifies requirements for password-based authentication — minimum length, complexity, and management requirements for passwords.
Example 1: Configure Active Directory password policy via GPO to require minimum 14 characters, check against the Azure AD banned password list, and enforce password history of 24 previous passwords.
Example 2: Deploy Azure AD Password Protection which blocks users from setting passwords containing common words, company names, or patterns found in known breach databases.