Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating Password Length Policy based on new NIST Guidelines #460

Merged
merged 10 commits into from
Oct 15, 2024
Merged

Updating Password Length Policy based on new NIST Guidelines #460

Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
23b4f99
added in split policy with 8 and 15 in commmon controls password leng…
mdueltgen Oct 4, 2024
1a09a5f
Added nist guidelines to resources section
mdueltgen Oct 7, 2024
7d9cc53
Made it should be 12, shall be 16 and added resource links for google…
mdueltgen Oct 10, 2024
eced204
Forgot implementation steps as well.
mdueltgen Oct 10, 2024
777662d
setting to shall 12, should 15 based on internal discussion
mdueltgen Oct 10, 2024
fdf43cd
added in new resource link
mdueltgen Oct 10, 2024
ac2c8c1
Update baselines/commoncontrols.md
mdueltgen Oct 11, 2024
3628cbe
updated resources
mdueltgen Oct 14, 2024
c3fac05
Update baselines/commoncontrols.md
mdueltgen Oct 14, 2024
0d88f3d
updating drift rules
mdueltgen Oct 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions baselines/commoncontrols.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,18 @@ User password length SHALL be at least 12 characters.
- [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)

#### GWS.COMMONCONTROLS.5.3v0.3
User password length SHOULD be at least 15 characters.

- _Rationale:_ The National Institute of Standards and Technology (NIST) has published guidance indicating that password length is a primary factor in characterizing password strength (NIST SP 800-63B). Longer passwords tend to be more resistant to brute force and dictionary-based attacks.
- _Last modified:_ July 10, 2023

- MITRE ATT&CK TTP Mapping
- [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
- [T1110:001: Brute Force: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
- [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
- [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)

#### GWS.COMMONCONTROLS.5.4v0.3
Password policy SHALL be enforced at next sign-in.

- _Rationale:_ Unless the password policy is enforced at next login, a user could potentially operate indefinitely using a weak password. Enforcing the policy at next login helps ensure that all active user passwords meet current requirements.
Expand All @@ -421,7 +433,7 @@ Password policy SHALL be enforced at next sign-in.
- [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
- [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)

#### GWS.COMMONCONTROLS.5.4v0.3
#### GWS.COMMONCONTROLS.5.5v0.3
User passwords SHALL NOT be reused.

- _Rationale:_ Password reuse represents a significant security risk. Preventing password reuse when possible limits the scope of a compromised password.
Expand All @@ -433,7 +445,7 @@ User passwords SHALL NOT be reused.
- [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
- [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)

#### GWS.COMMONCONTROLS.5.5v0.3
#### GWS.COMMONCONTROLS.5.6v0.3
User passwords SHALL NOT expire.

- _Rationale:_ The National Institute of Standards and Technology (NIST), OMB, and Microsoft have published guidance indicating mandated periodic password changes make user accounts less secure. For example, OMB M-22-09 states, "Password policies must not require use of special characters or regular rotation."
Expand All @@ -449,6 +461,10 @@ User passwords SHALL NOT expire.

- [GWS Admin Help \| Enforce and monitor password requirements for users](https://support.google.com/a/answer/139399?hl=en#zippy=%2Cwhat-makes-a-password-strong)
- [CIS Google Workspace Foundations Benchmark](https://www.cisecurity.org/benchmark/google_workspace)
adhilto marked this conversation as resolved.
Show resolved Hide resolved
- [Google Strong Password Guidelines](https://support.google.com/accounts/answer/9094506?fl=1&sjid=14948418137648107240-NA)
mdueltgen marked this conversation as resolved.
Show resolved Hide resolved
- [CISA Strong Password Guidelines](https://www.cisa.gov/secure-our-world/use-strong-passwords)
- [CISA Cross-Sector Cybersecurity Performance Goals](https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MinimumPasswordStrength2B)

mdueltgen marked this conversation as resolved.
Show resolved Hide resolved

### Prerequisites

Expand All @@ -472,12 +488,15 @@ To configure a strong password policy is configured, use the Google Workspace Ad
1. Under **Length**, set **Minimum Length** to 12+.

#### GWS.COMMONCONTROLS.5.3v0.3 Instructions
1. Under **Strength and Length enforcement**, select the **Enforce password policy at next sign-in** checkbox.
1. Under **Length**, set **Minimum Length** to 15+.

#### GWS.COMMONCONTROLS.5.4v0.3 Instructions
1. Under **Reuse**, deselect the **Allow password reuse** checkbox.
1. Under **Strength and Length enforcement**, select the **Enforce password policy at next sign-in** checkbox.

#### GWS.COMMONCONTROLS.5.5v0.3 Instructions
1. Under **Reuse**, deselect the **Allow password reuse** checkbox.

#### GWS.COMMONCONTROLS.5.6v0.3 Instructions
1. Under **Expiration**, select **Never Expires.**

## 6. Highly Privileged Accounts
Expand Down
Loading