CMMC Practice IA.L2-3.5.7 – Password Complexity: Enforce a minimum password complexity and change of characters when new passwords are created.
Links to Publicly Available Resources
Consolidation of default passwords for commercial software and hardware products. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items. The scope of this test is to verify if it is possible to collect a set of valid usernames by interacting with the authentication mechanism of the application. This link discusses the process of testing web applications for default credentials. This SANS guideline provides best practices for creating secure passwords. This is a sample password protection policy from SANS. This SANS whitepaper discusses vendor-supplied passwords that are embedded in software/hardware. US-CERT alert that reviews the risk associated with default passwords on internet-connected systems. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we focus on how this requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. Let’s talk about NIST 800-171 Control 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
Discussion [NIST SP 800-171 R2]
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.
Further Discussion
Password complexity means using different types of characters as well as a specified number of characters. This applies to both the creation of new passwords and the modification of existing passwords. Characters to manage complexity include numbers, lowercase and uppercase letters, and symbols. Minimum complexity requirements are left up to the organization to define. Define the lowest level of password complexity required. Define the number of characters that must be changed when an existing password is changed. Enforce these rules for all passwords. Salting passwords adds a string of random characters (salt) to a password prior to hashing. This ensures the randomness of the resulting hash value.