Authenticator Management | IA-5

Description

  • Passwords and other authenticators must be treated as confidential information: 
    • Users are prohibited from sharing their password or authenticator with any other person.
    • If the confidentiality of a password or authenticator is in doubt, it must be changed immediately. 
  • Default or assigned passwords must be changed where feasible.
  • Passwords must be protected in transit. 
    • Where feasible, password hashes should be salted.
    • Passwords must be encrypted when transmitted.
    • Temporary passwords, transmitted for the sole purpose of establishing a new password or changing a password, can be excepted from the requirement to encrypt if it is a one-time transmission and the user must also change the password upon first logon.
  • Users will be directed to use a self-service password reset when they need to change their password. If a user is not able to perform a self-service reset, their identity must be verified before the password is changed.
    • The password must be changed to a temporary password; and
    • The user must change the temporary password at first logon (where applicable).
  • When automated password generation programs are utilized:
    • Non-predictable methods of generation must be used;
    • where feasible, systems that auto-generate passwords for initial account establishment must force a password change upon entry into the system. 
  • If a password or other authenticator is assumed to be compromised, the event must be reported as a security incident.
  • Where feasible, user selected passwords must be checked to ensure they they meet complexity requirements by a password audit system.

Last updated: 5/13/2026

Contact Hours or Questions?

Information on Tech Support