Does your organization enforce minimum strength requirements for passwords, PINs, and other authenticators?
Explanation
Password strength policies are essential for preventing unauthorized access through brute force or dictionary attacks. Strong policies typically include requirements for minimum length, complexity (uppercase, lowercase, numbers, special characters), and restrictions on common or previously breached passwords.
As evidence, you could provide a screenshot of your password policy configuration from your identity management system, directory service (like Active Directory), or a written policy document that clearly outlines the minimum requirements enforced across your systems.
Implementation Example
Enforce policies for the minimum strength of passwords, PINs, and similar authenticators
ID: PR.AA-03.201
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Users, services, and hardware are authenticated
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

