4.4: Use Unique Passwords
Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Protect |
2, 3 |
Dependencies
None
Inputs
Password policy that includes requirement for unique passwords
Operations
Verify that a password policy was provided and set M1 accordingly.
(Optional) Manually review the provided password policy. Determine if it includes a valid requirement for unique passwords and set M2 accordingly.
Measures
M1 = Boolean value indicating whether a password policy was provided; 1 if policy provided, 0 if not
M2 = (From optional manual review) Binary value indicating whether the provided password policy includes a valid requirement for unique passwords; 1 if unique passwords required, 0 if not
Metrics
Password Policy Existence
Metric |
This metric indicates the existence of a password policy for the organization
|
Calculation |
|
Policy Review
(Optional Manual Review) Pass if the organization’s password policy includes a unique password requirement.