STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

IA-5 (1)

Identification and AuthenticationRev 5organization

Password-based Authentication

Baselines:LowModerateHigh

Control Statement

For password-based authentication:

Supplemental Guidance

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

Related Controls (1)

IA-6

CCI Identifiers (32)

CCI-000192The information system enforces password complexity by the minimum number of upper case characters used.CCI-001616The organization defines minimum password lifetime restrictions.CCI-002041The information system allows the use of a temporary password for system logons with an immediate change to a permanent password.CCI-001618The organization defines the number of generations for which password reuse is prohibited.CCI-000191The organization enforces password complexity by the number of special characters used.deprecatedCCI-000193The information system enforces password complexity by the minimum number of lower case characters used.CCI-000194The information system enforces password complexity by the minimum number of numeric characters used.CCI-000195The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.

Linked STIG Checks (200)

Across 43 STIGs. Click to expand.

CCI-000196The information system, for password-based authentication, stores only cryptographically-protected passwords.
CCI-000197For password-based authentication, transmit passwords only over cryptographically-protected channels.
CCI-000198The information system enforces minimum password lifetime restrictions.
CCI-000199The information system enforces maximum password lifetime restrictions.
CCI-000200The information system prohibits password reuse for the organization-defined number of generations.
CCI-000205The information system enforces minimum password length.
CCI-001612The organization defines the minimum number of upper case characters for password complexity enforcement.
CCI-001613The organization defines the minimum number of lower case characters for password complexity enforcement.
CCI-001614The organization defines the minimum number of numeric characters for password complexity enforcement.
CCI-001615The organization defines the minimum number of characters that are changed when new passwords are created.
CCI-001617The organization defines maximum password lifetime restrictions.
CCI-001611The organization defines the minimum number of special characters for password complexity enforcement.
CCI-001619The information system enforces password complexity by the minimum number of special characters used.
CCI-004058For password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.
CCI-004057Defines the frequency for updating commonly used, expected, or compromised passwords, when they are suspected of being compromised directly or indirectly.
CCI-004059For password-based authentication, update the list of passwords on an organization-defined frequency.
CCI-004063For password-based authentication, require immediate selection of a new password upon account recovery.
CCI-004064For password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.
CCI-004065For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.
CCI-004066For password-based authentication, enforce organization-defined composition and complexity rules.
CCI-004067Defines the composition and complexity rules to be enforced.
CCI-004060For password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.
CCI-004061For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
CCI-004062For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.