Authenticator Management | IA-5


  • Users are prohibited from sharing their password or authenticator with any other person.
  • Default or assigned passwords must be changed where feasible.
    • Where feasible, password hashes should be salted.
    • Passwords must be encrypted when transmitted.
    • Temporary passwords, transmitted for the sole purpose of establishing a new password or changing a password, can be excepted from the requirement to encrypt if it is a one-time transmission and the user must also change the password upon first logon.
  • Users will be directed to use a self-service password reset when they need to change their password. If a user is not able to perform a self-service reset, their identity must be verified before the password is changed.
    • The password must be changed to a temporary password; and
    • The user must change the temporary password at first logon (where applicable).
  • When automated password generation programs are utilized:
    • Non-predictable methods of generation must be used;
    • where feasible, systems that auto-generate passwords for initial account establishment must force a password change upon entry into the system. 

Last updated: 3/11/2024

Contact Hours