>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IA-5(1)Authenticator Management | Password-based Authentication

IL4 Mod
IL4 High
IL5
IL6

>Control Description

For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list organization-defined frequency and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: organization-defined composition and complexity rules.

>DoD Impact Level Requirements

DoD FedRAMP+ Parameters

DSPAV must be used.

Additional Requirements and Guidance

IA-5 (1) Requirement: Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users. IA-5 (1) (h) Requirement: For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters. For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used. IA-5 (1) Guidance: Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

>Discussion

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability.

However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords.

The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

>Programmatic Queries

Beta

Related Services

IAM
Secrets Manager
Cognito

CLI Commands

Update user password
aws iam update-login-profile --user-name USERNAME --password NEW_PASSWORD --password-reset-required
List password policy
aws iam get-account-password-policy --output json
Create strict password policy
aws iam update-account-password-policy --minimum-password-length 14 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters --allow-users-to-change-password
Open AWS ConsoleDocumentation

>Related Controls

IA-6

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-5(1) (Password-Based Authentication)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-5(1)?
  • How frequently is the IA-5(1) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-5(1) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-5(1) requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-5(1)?
  • How is IA-5(1) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-5(1) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-5(1)?
  • What audit logs, records, reports, or monitoring data validate IA-5(1) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-5(1) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-5(1) compliance?

Ask AI

Configure your API key to use AI features.