Skip to main content
Passwords: Revisiting The Tried And True

Passwords: Revisiting the Tried and True

Introduction

Passwords have been an integral part of our digital lives for many years, providing a layer of security for our online accounts and sensitive information. However, with the increasing sophistication of cyberattacks and the growing number of data breaches, it has become more critical than ever to have strong and secure passwords.
The Federal Risk and Authorization Management Program (FedRAMP) has established guidelines for password requirements for its authorized cloud service providers (CSPs). In this blog, we will discuss password security, FedRAMP password requirements, and some best practices to follow for creating strong and secure passwords.

Why is Password Security Important?

Passwords are often the first line of defense in protecting sensitive systems and information from unauthorized access.
Cybercriminals use various techniques such as phishing, social engineering, and man-in-the-middle (MITM) attacks to gain access to user accounts. Once an attacker has access to your password, they can steal your data, commit fraud, or even use your account for malicious activities.
Thus, having strong and secure passwords is essential to protect your personal and business information from cybercriminals.

What are the FedRAMP Password Requirements?

FedRAMP is a government program brought into law that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP authorized CSPs must comply with strict security standards to ensure that their services meet the security and privacy requirements of the federal government.
The FedRAMP password requirements are based on the National Institute of Standards and Technology (NIST) guidelines for password security. Some of the key requirements include:

  • Password Complexity: Passwords must be at least 12 characters long and contain a combination of uppercase and lowercase letters, numbers, and special characters.
  • Password Aging: Passwords must be changed every 90 days (about 3 months).
  • Password History: Users cannot reuse their last four passwords.
  • Password Lockout: After 6 failed login attempts, the account will be locked for a period of time.
  • Multifactor Authentication (MFA): Requires MFA for all privileged accounts.

 

Best Practices for Creating Strong and Secure Passwords

In addition to the FedRAMP requirements, there are some best practices that individuals and organizations can follow to create strong and secure passwords, such as:

Use Passphrases:

Instead of using a single word, use a passphrase that is easy to remember but is also difficult to guess. For example, "Ilov3ApplePie24/7!" is a strong passphrase.

Avoid Personal Information:

Do not use personal information such as your name, birthdate, or address in your password. This information can be easily found by cybercriminals, such as through social media.

Use a Password Manager:

A password manager can generate strong passwords and store them securely for you like BitWarden.

Enable Multifactor Authentication:

MFA adds an extra layer of security to your accounts by requiring a code in addition to your password, such as Duo.

Do Not Share Your Password:

Never share your password with anyone, even if they claim to be a trusted source and that includes the IT department.

Conclusion

In today’s world, password security is crucial to protecting sensitive information from cybercriminals. To that end, FedRAMP has established strict password requirements for its authorized CSPs to ensure that they meet the security and privacy requirements of the federal government.
By following best practices for creating strong and secure passwords, individuals and organizations alike can minimize the risk of their systems being compromised. Remember to always use a unique and strong password for each account and enable two-factor authentication whenever possible.
Let InfusionPoints know if you need assistance elevating your password game!

Related FedRAMP Controls

  • AC-12 (1) - SESSION TERMINATION | USER-INITIATED LOGOUTS / MESSAGE DISPLAYS
  • IA-2 - IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
  • IA-5 - AUTHENTICATOR MANAGEMENT
  • IA-5 (1) - AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
  • IA-5 (4) - AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION
  • IA-5 (7) - AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS
  • IA-5 (8) - AUTHENTICATOR MANAGEMENT | MULTIPLE INFORMATION SYSTEM ACCOUNTS
  • IA-6 - AUTHENTICATOR FEEDBACK

Sources:

FedRAMP Compliance FAQs for User Authentication - Knowledge Base - Palo Alto Networks 

Configure identification and authentication controls to meet FedRAMP High Impact level with Azure Active Directory - Microsoft Entra | Microsoft Learn 

Fedramp password field requirements (salesforce.com)