Authenticator Management | IA-5

Description

• Users are prohibited from sharing their password or authenticator with any other person.
• Default or assigned passwords must be changed where feasible.
  • Where feasible, password hashes should be salted.
  • Passwords must be encrypted when transmitted.
  • Temporary passwords, transmitted for the sole purpose of establishing a new password or changing a password, can be excepted from the requirement to encrypt if it is a one-time transmission and the user must also change the password upon first logon.
• Users will be directed to use a self-service password reset when they need to change their password. If a user is not able to perform a self-service reset, their identity must be verified before the password is changed.
  • The password must be changed to a temporary password; and
  • The user must change the temporary password at first logon (where applicable).
• When automated password generation programs are utilized:
  • Non-predictable methods of generation must be used;
  • where feasible, systems that auto-generate passwords for initial account establishment must force a password change upon entry into the system. 

Last updated: 3/11/2024