# Password & Authenticator Guidance (System-Agnostic) **Document owner:** [Owner/Role] **Approved by:** [Steering Committee / CISO] **Effective date:** [YYYY-MM-DD] **Review cadence:** [Annually] --- ## 1) Purpose & Scope This document provides **implementation guidance and hardening requirements** for enforcing the Password & Authenticator Policy across all systems, applications, and identity platforms in [Organization]. It applies to IT, IAM administrators, and system owners. --- ## 2) Policy Implementation Guidance ### 2.1 Password Length & Creation - Configure all systems to **enforce minimum lengths**: - **15 characters** for single-factor authentication. - **8 characters** for MFA-protected logins. - Ensure systems support passwords up to **64 characters** with spaces, ASCII, and Unicode. - Do not enforce composition rules; instead rely on **length + blocklist screening**. ### 2.2 Blocklist Screening - Implement password screening against: - **Commonly used passwords** (e.g., “Password123”). - **Breach corpuses** (public leak data). - **Organization-specific terms** (company name, product names). - Update blocklists at least **quarterly**. ### 2.3 Expiration & Rotation - Disable periodic password expiration for human accounts. - Enable **risk/event-driven rotation** when compromise is suspected. - For **service accounts**, enforce **automated rotation** in a secret manager. ### 2.4 Usability & User Experience - Enable **copy/paste** to support password managers. - Provide an optional **“show password”** control on login. - Prohibit **password hints** and **security questions**. ### 2.5 Multi-Factor Authentication (MFA) - Require MFA for: - All external-facing logins. - Administrative access. - Remote access (VPN, SSH, RDP, portals). - Systems handling **sensitive or regulated data**. - Prefer **phishing-resistant MFA** (FIDO2, WebAuthn, authenticator apps). - Allow **SMS/voice** only as fallback. ### 2.6 Account Lockout & Rate Limiting - Enforce **rate-limiting** on failed login attempts. - Apply **escalating timeouts** (e.g., 30s → 1min → 5min). - Avoid permanent lockouts to reduce denial-of-service risk. ### 2.7 Password Storage & Transmission - Transmit all credentials only over **encrypted channels** (TLS 1.2+). - Store passwords using: - **Argon2id (preferred)**, or - **bcrypt** / **PBKDF2** with high work factor. - Use **unique salts** (≥32 bits) per credential. - Consider adding a server-side **“pepper”** stored securely (HSM/TEE). ### 2.8 Resets & Recovery - Require MFA for password resets. - Prohibit knowledge-based authentication (KBA/security questions). - Revoke all active sessions and tokens after a reset due to compromise. ### 2.9 Administrative & Privileged Accounts - Enforce **separate admin accounts** for elevated tasks. - Protect all privileged accounts with **MFA**. - Provision administrative access **just-in-time** or **time-bound**. - Prohibit shared admin credentials; vault and monitor any break-glass accounts. ### 2.10 Service & Machine Accounts - Prefer **key-based**, **certificate-based**, or **federated identities** over passwords. - If passwords are required: - **≥30 characters**, randomly generated. - Stored only in **approved secret managers**. - Automatically rotated and logged. - Prohibit interactive login with service accounts. ### 2.11 Dormant Accounts - Disable accounts after **45 days of inactivity**. - Conduct **quarterly account reviews** for all user and service accounts. ### 2.12 Application Integration Applications authenticating users **must**: - Support policy requirements for **length**, **blocklist checks**, and **no composition rules**. - Allow **paste/autofill**. - Not truncate credentials. - Store credentials with modern password hashing. --- ## 3) Hardening Checklist ✅ Enforce MFA on all sensitive and external-facing systems. ✅ Implement blocklist screening for weak/compromised passwords. ✅ Remove periodic password expiration policies for human users. ✅ Store passwords only with Argon2id/bcrypt/PBKDF2. ✅ Rate-limit login attempts with escalating delays. ✅ Disable accounts inactive for ≥45 days. ✅ Require password manager compatibility (paste/show-password). ✅ Review and disable legacy authentication protocols (e.g., plain text FTP/POP/IMAP, NTLMv1). ✅ Audit password changes, resets, and lockout events. --- ## 4) References - **NIST SP 800-63B, Digital Identity Guidelines (2023 update)** - **CIS Controls v8.1 (Controls 5 & 6)** - **OWASP Authentication Cheat Sheet**