Credentials
Define a password management tool
Summary The passwords of high privilege users must be guarded and managed by the tool defined by the organization to complete this task. Description The use of a password management tool provide a secure and controlled environment for storing, ...
Proper generation of temporary passwords
Summary Temporary passwords should be automatically and randomly generated. Description The requirement emphasizes that temporary passwords should be generated automatically by the system, without user intervention. Randomly generated passwords are ...
Notify upcoming expiration dates
Summary The system must notify users when their credentials are about to expire. Description This requirement specifies that users must be notified when their credentials are about to expire. This is a proactive security measure that promotes user ...
Invalidate previous OTPs
Summary The system must invalidate previously generated OTPs when the generation of a new one is triggered. Description One-time passwords (OTPs) are secrets used during operations that need added security or as part of user enrollment processes. ...
Store salt values separately
Summary The salt values used during the password hashing process must be stored separately from the hashed passwords. Description Adding random salt to a password as part of the hashing process drastically increases the time required to crack that ...
Prevent the use of breached passwords
Summary The system must check new passwords against a list of 1,000 to 10,000 breached passwords. Description There are various mechanisms for cracking passwords that use public lists containing breached credentials. Systems must check submitted ...
Remove inactive accounts periodically
Summary The organization must remove inactive user accounts periodically (purging). Description Inactive user accounts that remain in the system can be a security risk. If these accounts have not been properly deactivated or removed, they may become ...
Unique access credentials
Summary System access credentials must be unique for each actor. Description Unique credentials must tie specific access and actions to individually identified users. This promotes accountability by determining who performed a particular action or ...
Change system default credentials
Summary The organization must modify all default access credentials of embedded systems. Description Organizations usually keep default configurations of third-party products, since these may adapt to most environments where they are installed and ...
Force re-authentication
Summary The system must force users to re-authenticate or invalidate their session if the state of their account changes (e.g., password change/recovery, lockouts, user deletion, etc.). Description When important changes occur, such as a password ...
Define OTP lifespan
Summary One-time passwords (OTP) must have a maximum lifespan of 60 seconds. Description OTPs are tokens that help hinder phishing (impersonation) attacks. They should be generated using secure cryptographic algorithms, be sent over a protected ...
Set minimum OTP length
Summary One-time passwords must be at least 6 characters long. Description One-time passwords (OTP) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, they should have a ...
Define lifespan for temporary passwords
Summary Temporary passwords for first system login must have a maximum lifespan of 120 minutes. Description Temporary passwordsare often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that ...
Change temporary passwords of third parties
Summary The system must force the change of temporary passwords, which are generated by a third party, after their first use. Description Temporary passwords are often harder to remember and shared over systems whose future integrity may not be ...
Force temporary password change
Summary The system must force the change of automatically generated temporary passwords after their first use. Description Temporary passwords are often harder to remember and shared over systems whose future integrity may not be guaranteed by the ...
Passwords with random salt
Summary Salt values in passwords must be random and have a minimum length of 48 bits. Description By being random and having a minimum length of 48 bits the salt complexity is strong enough to mitigate the risk of a successful attack over the user's ...
Store passwords with salt
Summary The system must store passwords with different key derivations (salt). Description The use of salts introduces an extra layer of complexity for attackers attempting to crack password hashes. This requirement is a fundamental practice for ...
Passwords with at least 20 characters
Summary System passwords must be at least 20 characters long. Description Long passwords allow a high variety of characters and combinations to use, strengthening its complexity. The larger the number of characters and the longer the password, the ...
Passphrases with at least 4 words
Summary The system must require passphrases to be at least 4 words long and allow them to have 64 characters or more. Description Passwords are identity assertion elements that can be easily forgotten. Passphrases are sequences of words that are ...
Deny multiple password changing attempts
Summary Passwords are not allowed to be changed more than once in the same day. Description By limiting the frequency of password changes to once per day is implemented as a security policy that helps to balance usability and security considerations. ...
Limit password lifespan
Summary Passwords must be valid for a maximum of 30 days. Description The risk of passwords being compromised increases due to new cyber threats attack techniques, and data breaches. Regularly changing passwords, helps organizations to reduce the ...
Validate previous passwords
Summary The system must not allow password changes for a user if the new password matches one of the previous 5 passwords of the same user. Description This requirement aims to prevent password reuse, enhance security, and protect against the risks ...
Define unique data source
Summary All system passwords must be stored in a unique data source. Description Storing passwords in a unique data source typically involves centralizing password storage in a dedicated and secure location. This could be a password database or a ...
Store hashed passwords
Summary Passwords must be hashed before being stored using secure hash algorithms such as `PBKDF2` and `bcrypt`. Description A hash function maps data of arbitrary size to fixed-size values. It conceals sensitive information as it is often not ...
Set a password regeneration mechanism
Summary The system must provide a secure mechanism to regenerate a user's password. Description Passwords are identity assertion elements that can be easily lost or forgotten. Additionally, they can be leaked as a result of a user's actions or a ...