800-53|IA-5(1)

Title

PASSWORD-BASED AUTHENTICATION

Description

The information system, for password-based authentication:

Supplemental

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: IA-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: AUTHENTICATOR MANAGEMENT

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure Minimum Password Length is set to 14 or higher	CheckPoint	CIS Check Point Firewall L1 v1.1.0
1.1.1 - /etc/security/user - 'mindiff >= 4'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2019 MS L1 v2.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2016 MS L1 v2.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2019 DC L1 v2.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2019 Standalone DC L1 vCIS Microsoft Windows Server 2019 Standalone DC L1 v1.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Windows Server 2012 DC L1 v3.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Windows Server 2012 MS L1 v3.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2022 v2.0.0 L1 DC
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Windows Server 2012 R2 DC L1 v3.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2016 DC L1 v2.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2022 v2.0.0 L1 MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows Server 2019 MS Standalone L1 v1.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Windows Server 2012 R2 MS L1 v3.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + NG
1.1.1 Ensure default password of root is not allowed	F5	CIS F5 Networks v1.0.0 L1
1.1.1.4 Set 'Minimum password length' to '14 or more character(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.1.5 Set 'Enforce password history' to '24 or more password(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.1.6 Set 'Password must meet complexity requirements' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.1.7 Set 'Store passwords using reversible encryption' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0

Detections

Analytics