Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database.
Topic
Protecting credentials
Applicable to
all
History
Priority
must
Mar 2022
Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database.
The previous recommendation to ensure that credentials are hashed, salted and stretched when stored on systems has been expanded to include the use of password managers and hardware security modules. Furthermore, the existing recommendation within the Guidelines for Database Systems that duplicated the hashing, salting and stretching advice (ISM-1252) was rescinded.
Aug 2020
Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched.
Security control 1402 was amended to focus on the storage of credentials on systems.
Jul 2020
Credentials are protected by ensuring:
• passwords/passphrases expire every 12 months
• passwords/passphrases are stored as salted hashes
• password/passphrase stretching is implemented
• passwords/passphrases that are compromised are revoked
• passwords/passphrases are never sent in the clear across networks.
Dec 2019
Credentials are protected by ensuring:
§ passwords/passphrases expire every 12 months
§ passwords/passphrases are stored as salted hashes
§ password/passphrase stretching is implemented
§ passwords/passphrases appearing in breach databases are blacklisted
§ passwords/passphrases are never sent in the clear across networks.
Security control 1402 was modified slightly to fix a grammar error.
Nov 2019
Credentials are protected by ensuring:
§ passwords/passphrases expire every 12 months
§ passwords/passphrases are stored as salted hashes
§ password/passphrase stretching is implemented
§ password/passwords appearing in breach databases are blacklisted
§ passwords/passphrases are never sent in the clear across networks.
Oct 2019
Credentials are protected by ensuring:
§ passwords/passphrases expire every 12 months
§ passwords/passphrases are stored as salted hashes
§ password/passphrase stretching is implemented
§ password/passwords appearing in breach databases are blacklisted
§ passwords/passphrases are never sent in the clear across networks.
Following a rigorous review of the ability of passwords and passphrases to withstand attack, security control 0423 was merged into security control 1402 and additional recommendations were added.
Sep 2019
Authentication information stored or communicated by a system is protected from unauthorised access.
2015
Authentication information stored on a system must be protected.