💼 IA-5(1) Password-based Authentication (L)(M)(H)

• Contextual name: 💼 IA-5(1) Password-based Authentication (L)(M)(H)
• ID: /frameworks/fedramp-low-security-controls/ia/05/01
• Located in: 💼 IA-5 Authenticator Management (L)(M)(H)

Description

For password-based authentication:

(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;

(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);

(c) Transmit passwords only over cryptographically-protected channels;

(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;

(e) Require immediate selection of a new password upon account recovery;

(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;

(g) Employ automated tools to assist the user in selecting strong password authenticators; and

(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].

IA-5 (1) Additional FedRAMP Requirements and Guidance:

Guidance: Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

Requirement: Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

(h) Requirement: For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

Similar

• Sections
  • /frameworks/nist-sp-800-53-r5/ia/05/01
  • /frameworks/fedramp-high-security-controls/ia/05/01
• Internal
  • ID: dec-c-ab7872ee

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)		1	8
💼 NIST SP 800-53 Revision 5 → 💼 IA-5(1) Authenticator Management _ Password-based Authentication			8

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (8)

Policy	Logic Count	Flags
📝 AWS Account IAM Password Policy minimum password length is 14 characters or less 🟢	1	🟢 x6
📝 AWS Account IAM Password Policy Number of passwords to remember is not set to 24 🟢	1	🟢 x6
📝 AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses default SSL/TLS certificate 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢	1	🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢	1	🟢 x6