CMMC Practice IA.L2-3.5.7

Enforce a minimum password complexity and change of characters when new passwords are created.

Monarch ISC Guidance

Common complexity requirements are to have an 8 character password which uses 3 of the 4 character groups (numbers, lowercase and uppercase letters, and symbols) and use at least 2 of each group. NIST guidance has evolved to suggesting the use of longer passwords, or passphrases, of 15 characters or more, but you do not have to change them as frequently. A hidden part of this practice is that when a user changes their password, the the password should be is suitably different than the original password. Since most systems store passwords in irreversible encryption (or a hash), the system can only tell if the password is exactly the same as it was before, or different. So you may have to make a policy and remind users through education that simply changing the last character from a 1 to a 2, and later to a 3, is NOT an acceptable password change, even if the system allows it.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

References