CMMC Practice IA.L2-3.5.9 – Temporary Passwords: Allow temporary password use for system logons with an immediate change to a permanent password.
Links to Publicly Available Resources
Consolidation of default passwords for commercial software and hardware products. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items. The scope of this test is to verify if it is possible to collect a set of valid usernames by interacting with the authentication mechanism of the application. This link discusses the process of testing web applications for default credentials. This SANS guideline provides best practices for creating secure passwords. This is a sample password protection policy from SANS. This SANS whitepaper discusses vendor-supplied passwords that are embedded in software/hardware. US-CERT alert that reviews the risk associated with default passwords on internet-connected systems. We all get temporary mental lapses, right, especially as we get older, let’s talk about NIST 800-171 Control 3.5.9 Identifiers and Authentication in NIST 800-171.
Discussion [NIST SP 800-171 R2]
Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.
Further Discussion
Users must change their temporary passwords the first time they log in. Temporary passwords often follow a consistent style within an organization and can be more easily guessed than passwords created by the unique user. This approach to temporary passwords should be avoided.