Change user passwords on a regular basis

Status: Live

The organization will maintain a standard and appropriate procedures to change user passwords on a regular basis. [UCF ID 00520]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Information Security, Pg 27, Exam Tier II Obj A.4 (Authentication); FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 3.3; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 9.2; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-007-1 R5.3.3; American Express Data Security Standard (DSS), § 1a; MasterCard Electronic Commerce Security Architecture Best Practices, April 2003, § 3-3, § 3-8; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 8.5.9; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 54; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-15.i; Protection of Assets Manual, ASIS International, Pg 15-IV-28; C-TPAT Supply Chain Security Best Practices Catalog, Pg 46; Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Password Protection; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-303.i; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 4 IA-5, Exhibit 8 Control 02 thru Exhibit 8 Control 04; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.11.3; The Standard of Good Practice for Information Security, CB3.1.4(d), CI4.5.3(g), UE2.1.2(d); CI Security Windows 2000, v2.2.1, Pg 11; CI Security Windows 2000 Server, v2.2.1, § 2.1.2; CI Security Windows 2000 Professional, v2.2.1, § 2.1.2, § 2.2.2.2; CI Security Windows NT, v1.0.5, Pg 12, Pg 14; CI Security Windows XP Professional SP1/SP2, v2.01, § 2.1.2; Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings, Pg 3; Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1, § 6.1; NSA Guide to Security Microsoft Windows XP, Pg 16; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR1100); DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR1100, WIR1110); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 2.2 (WIR1100), App B.1; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 2.2 (WIR2100), App B.3; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 5 (WIR0450); ISO 17799:2005 Code of Practice for Information Security Management, § 11.3.1, § 11.5.3; ISO/IEC 27002-2005 Code of practice for information security management, § 11.3.1, § 11.5.3; OECD / World Bank Technology Risk Checklist, Version 7.3, § IV.4; Australian Government ICT Security Manual (ACSI 33), § 3.6.13; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 8.5.9; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-5 Item 48; Archer Control Table, ATCS-301; Level-2 Windows 2000 Professional Operating System Benchmark, v2.2.1, § 11; Italy Personal Data Protection Code, Annex B.5

Banking and Finance Guidance

[Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Audit, August 2003]

Users should be forced to change their passwords regularly. [Pg 27, Exam Tier II Obj A.4 (Authentication), FFIEC IT Examination Handbook – Information Security]

[Exam Tier II Obj 3.3, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 9.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Energy Guidance

Each password shall be changed at least annually, or more frequently based on risk. [CIP-007-1 R5.3.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

The organization must change employee passwords regularly. [§ 1a, American Express Data Security Standard (DSS)]

Change passwords at least every 30 days.
Change workstation and server passwords at least every 30 days. [§ 3-3, § 3-8, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003]

The organization must ensure it has developed a password and user authentication management program that requires users change their passwords at least every 90 days.
For service providers, the customer documentation should be examined to verify customers are required to change their passwords periodically and when passwords should be changed.
Examine a sample of components to verify the system configuration for passwords is set to force users to change their passwords every 90 days.
Interview system security officers to determine if the password parameters are set properly. [§ 8.5.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The password for the payment gateway system should be changed regularly. [Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

The organization must ensure it has developed a password and user authentication management program that requires users change their passwords at least every 90 days. [§ 8.5.9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Passwords for "Classified Sensitive" systems should be changed semiannually. All other system passwords should be changed annually. [§ 2-15.i, Army Regulation 380-19: Information Systems Security, February 27, 1998]

All telephone system and voice mail passwords should be changed frequently. [Pg 15-IV-28, Protection of Assets Manual, ASIS International]

Passwords must be changed at least every 90 days. [Pg 46, C-TPAT Supply Chain Security Best Practices Catalog]

Passwords must be changed at least every 90 days. [Password Protection, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

Passwords must be changed at least every 12 months. [§ 8-303.i, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

US Internal Revenue Guidance

Passwords for standard user accounts must be changed at least every 90 days. Passwords for privileged user accounts must be changed at least every 60 days. [Exhibit 4 IA-5, Exhibit 8 Control 02 thru Exhibit 8 Control 04, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.11.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Passwords on all WLAN components should be changed on a regular basis. [Table 8-5 Item 48, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

System Configuration Guidance

User accounts should have their passwords changed at least every 90 days. [Pg 11, CI Security Windows 2000, v2.2.1]

All passwords are changed at least every 90 days, including the Administrator and Guest accounts. [§ 2.1.2, CI Security Windows 2000 Server, v2.2.1]

All passwords are changed at least every 90 days, including the Administrator and Guest accounts. [§ 2.1.2, § 2.2.2.2, CI Security Windows 2000 Professional, v2.2.1]

Passwords should be changed at least every 90 days. [Pg 12, Pg 14, CI Security Windows NT, v1.0.5]

The organization must change user passwords on a regular basis. It also states that the requirement to change passwords also provides a practical defense against brute force password attacks. Given the nature of the brute force attack, it will always succeed if there is enough time to eventually guess the password. On a typical computer, it may take weeks or even months to guess a long alphanumeric password. However, if the password expired and was changed since during this period, the attack will fail. Therefore the maximum password length is also driven by the capacity of the most common password crack software. [§ 2.1.2, CI Security Windows XP Professional SP1/SP2, v2.01]

Users are required to change their passwords every x number of days. If they don't change their passwords at this predetermined time, they will be locked out of the system. [Pg 3, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings]

All passwords are changed at least every 90 days, including the Administrator and Guest accounts. [§ 6.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1]

This setting defines how long users are allowed to use their passwords before they expire. The values for this setting can range from 1 to 999 days. A 0 means the password will never expire. The default value is 42 days. The Maximum password age value should be set to 90 days. [Pg 16, NSA Guide to Security Microsoft Windows XP]

User accounts should have their passwords changed at least every 90 days. [§ 11, Level-2 Windows 2000 Professional Operating System Benchmark, v2.2.1]

Other Configuration Guidance

If PIN authentication is used for wireless e-mail devices, the passwords should be changed at least every 90 days. [§ 2.2 (WIR1100), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

Passwords should be changed at least every 90 days. The BlackBerry Enterprise Server (BES) should be configured to enforce this policy. If password protection is used with CAC/PKI authentication, changing passwords should not be required. [§ 2.2 (WIR1100, WIR1110), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4]

If PIN authentication is used for wireless e-mail devices, the passwords should be changed at least every 90 days. The Good Management Server Security policy rule "Password Expires After" should be set to 90 days or less. This is located under the Password tab - Password Restrictions. [§ 2.2 (WIR1100), App B.1, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

If Password authentication is used for wireless e-mail devices, the passwords should be changed at least every 90 days. The Trust Digital security policy rule "Password Expiration" should be set to 90 days. This is located under Policy Manager/Power-on Password. [§ 2.2 (WIR2100), App B.3, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

If PIN authentication is used for PDAs or Smart phones, the passwords should be changed at least every 90 days.
Interview the Information Assurance Officer (IAO) and the Security Administrator to verify the PIN authentication settings for PDAs and Smart phones are configured correctly. [§ 5 (WIR0450), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

ISO Guidance

Passwords should be changed on a regular basis and when there is an indication of compromise. [§ 11.3.1, § 11.5.3, ISO 17799:2005 Code of Practice for Information Security Management]

Passwords should be changed on a regular basis and when there is an indication of compromise. [§ 11.3.1, § 11.5.3, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Passwords should be changed on a regular basis and more frequently for accounts with special access privileges. [CB3.1.4(d), CI4.5.3(g), UE2.1.2(d), The Standard of Good Practice for Information Security]

EU Guidance

Automated enforcement for changing passwords should be provided. [§ IV.4, OECD / World Bank Technology Risk Checklist, Version 7.3]

Other European and African Guidance

Passwords must be changed when the password is first used and at least every 6 months. For sensitive or judicial data, the password must be changed at least every 3 months. [Annex B.5, Italy Personal Data Protection Code]

Asia and Pacific Rim Guidance

Passwords should be changed at least every 90 days. [§ 3.6.13, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of active user passwords that are set to expire in accordance with policy [UCF Control ID 02087]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.