History
- Priority
- should
- Oct 2019
- Removed
- Following a rigorous review of the ability of passwords and passphrases to withstand attack, security control 0423 was merged into security control 1402 and additional recommendations were added.
- Sep 2019
- Management practices for passphrases used as the sole method of authentication: § ensure that passphrases are changed at least every 90 days § prevent passphrases from being changed more than once a day § prevent passphrases from being reused within eight passphrase changes § prevent the use of sequential passphrases where possible.
- Security control 0423 was modified to clearly state it’s applicability to scenarios where passphrases are used as the sole method of authentication. Furthermore, the requirement to prevent passphrases from being stored in cleartext was removed from security control 0423 due to the overlap with security control 1402.
- Aug 2019
- Passphrase management practices: § ensure that passphrases are changed at least every 90 days § prevent passphrases from being changed by a user more than once a day § prevent passphrases from being reused within eight passphrase changes § prevent the use of sequential passphrases where possible § prevent passphrases being stored in cleartext.
- 2015
- Agencies must:• ensure that passphrases are changed at least every 90 days• prevent passphrases from being changed by the user more than once a day• prevent passphrases from being reused within eight passphrase changes• prevent the use of sequential passphrases where possible• prevent passphrases being stored in cleartext.
- 2010
- Agencies should:• ensure passwords are changed at least every 90 days• prevent system users from changing their password more than once a day• check passwords for compliance with their password selection policy where the system cannot beconfigured to enforce complexity requirements• force the system user to change an expired password on initial logon or if reset.
- 2008
- Agencies should: a. ensure passwords are changed at least every 90 days b. prevent system users from changing their password more than once a day c. check passwords for compliance with their password selection policy where the system cannot be configured to enforce complexity requirements d. force the system user to change an expired password on initial logon or if reset.