Topic

Setting credentials for user accounts

Applicable to

all

History

Priority

must

Mar 2022

Credentials set for user accounts are randomly generated.

Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.

Aug 2020

Passwords/passphrases set or reset on users’ behalf are randomly generated.

Security control 1227 was amended to recommend that when setting or resetting passwords/passphrases that they be randomly generated.

Jul 2020

Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date.

Oct 2019

Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date.

Security controls 0976 and 1227 were modified slightly.

Sep 2019

Passphrases resets are: § random for each individual reset § not reused when resetting multiple accounts § not based on a single dictionary word § not based on another identifying factor, such as the user’s name or the date.

2015

Agencies must ensure reset passphrases are:• random for each individual reset• not reused when resetting multiple accounts• not based on a single dictionary word• not based on another identifying factor, such as the user’s name or the date.