SB.9.008 Password Complexity
Systems that allow setting passwords enforce that passwords satisfy minimum complexity requirements.
Rate-limiting is enforced for failed password entries.
During password creation, an indicator of password complexity is reported to the user. Easy passwords are prohibited. If initial passwords or reset passwords are assigned by the system or by operators, they are changed by the user upon first login.
Passwords to personal accounts are only chosen by the account owner. One-time passwords are exempt.
Every account has a traceable owner that is responsible for password maintenance on the account.
Alternative authentication mechanisms stronger than passwords should be encouraged.
Chosen passwords must be checked against, a regularly updated, breached passwords list. If the chosen password appears on the list, the password is not allowed.
The key space for all passwords is UTF-8. This needs to be supported anywhere a password can be submitted.
Complexity requirements should be appropriate to the type of account used, distinguishing at least between regular user accounts, functional/service accounts and privileged accounts. At a minimum, a password length of 15 characters should be used for all types of accounts. Password expiration is needed for accounts that are not regular end-user accounts.
Privileged passwords must be saved and managed in a password vault with MFA. Examples: Service accounts or database accounts.
Preferably, rate-limiting is implemented using alternative methods to account-blocking (such as CAPTCHAs) to prevent denial-of-service attacks.
Changes to authentication factors can only happen after sufficient verification of the user identity. Users are notified of changes to their authentication factors.