800-53|IA-5(1)

Title

PASSWORD-BASED AUTHENTICATION

Description

The information system, for password-based authentication:

Supplemental

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

Reference Item Details

Related: IA-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: AUTHENTICATOR MANAGEMENT

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure Minimum Password Length is set to 14 or higherCheckPointCIS Check Point Firewall L1 v1.1.0
1.1.1 - /etc/security/user - 'mindiff >= 4'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
1.1.1 Ensure default password of root is not allowedF5CIS F5 Networks v1.0.0 L1
1.1.1.4 Set 'Minimum password length' to '14 or more character(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.5 Set 'Enforce password history' to '24 or more password(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.6 Set 'Password must meet complexity requirements' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.7 Set 'Store passwords using reversible encryption' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.8 Set 'Minimum password age' to '1 or more day(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.9 Set 'Maximum password age' to '60 or fewer days'WindowsCIS Windows 8 L1 v1.0.0
1.1.2 - /etc/security/user - 'minage >= 1'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
1.1.2 Ensure default password of admin is not usedF5CIS F5 Networks v1.0.0 L1
1.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.2.3 Ensure 'Authentication with Exchange server.' is set to 'Enabled:Kerberos/NTLM Password Authentication'WindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.1.2.3 Ensure 'Authentication with Exchange server.' is set to 'Enabled:Kerberos/NTLM Password Authentication'WindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.1.3 - /etc/security/user - 'maxage <= 13' but not 0UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.10 - /etc/security/user - 'maxexpired <= 2'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.19 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.20 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.20 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.21 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1