About this program
Check your password rules against modern NIST guidance — length, rotation, complexity, password manager use.
Risks addressed
- High Users pick weak or reused passwords that appear in breach corpora
- Medium Forced rotation drives users to predictable variants
- High Brute-force attacks succeed without lockout / throttling
Controls (6)
-
Minimum length 12+ characters
HighMinimum length 12+ characters
How to test + evidence
Testing procedure: Review password policy in IdP. Expect length at least 12.
Evidence to collect: IdP password policy export.
-
No mandatory rotation without compromise
MediumNo mandatory rotation without compromise
How to test + evidence
Testing procedure: Confirm passwords are not forced to rotate on a schedule unless breach is suspected.
Evidence to collect: Policy document or IdP setting.
-
Breached-password screening enabled
HighBreached-password screening enabled
How to test + evidence
Testing procedure: Verify the IdP checks new passwords against breach corpora (Pwned Passwords / HIBP).
Evidence to collect: IdP setting screenshot.
-
Password manager provided to all staff
MediumPassword manager provided to all staff
How to test + evidence
Testing procedure: Confirm an approved password manager is provisioned and used by all staff.
Evidence to collect: Licence count vs headcount.
-
Account lockout / throttling configured
MediumAccount lockout / throttling configured
How to test + evidence
Testing procedure: Test the lockout threshold; confirm progressive throttling rather than permanent lockout.
Evidence to collect: Auth-failure policy export.
-
No password reuse across services for admins
HighNo password reuse across services for admins
How to test + evidence
Testing procedure: Interview + spot-check; verify admins use unique credentials per system.
Evidence to collect: Admin attestation + vault entries.