Last year our team completed quite a few security assessment and remediation projects for our clients, one project required our security team to compile and present a list of password requirements for each of the cybersecurity frameworks our client wished to comply with.

Here is the compilation of that information specific to GDPR, ISO 27001, ISO 27002, PCI DSS, and NIST 800-53 (Moderate Baseline):

GDPR

Minimum Requirements / Recommended Controls:

• No specific complexity requirements outlined.
• Password policy outlining complexity requirements, periodic password resets, and best effort technical controls. Password/authentication best practices should apply.

Exact Language / Guidance:

• Passwords are not specifically mentioned within the GDPR standard;
• GDPR Language

ISO 27001 / ISO 27002

Minimum Requirements / Recommended Controls:

• No specific complexity requirements outlined.
• Password policy outlining complexity requirements, periodic password resets, and best effort technical controls. Password/authentication best practices should apply.

ISO27001

• Password management systems should be interactive and should ensure quality passwords.

ISO27002

• Enforce the use of individual user IDs and passwords to maintain accountability.
• Allow users to select and change their own passwords and include a confirmation procedure to allow for input errors.
• Enforce a choice of quality passwords.
• Force users to change their passwords at the first log-on.
• Enforce regular password changes and as needed.
• Maintain a record of previously used passwords and prevent re-use.
• Not display passwords on the screen when being entered.
• Store password files separately from application system data.
• Store and transmit passwords in protected form.

Exact Language / Guidance:

• Password management systems shall be interactive and shall ensure quality passwords.
• ISO 27001 Framework
• ISO 27002 Security Policy Template

PCI DSS

Minimum Requirement / Recommended Controls:

• Require a minimum length of at least seven characters.
• Contain both numeric and alphabetic characters.
• Users to change passwords at least every 90 days.
• Password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
• First-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use.
• User accounts are temporarily locked-out after not more than six invalid access attempts.
• Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
• System/session idle timeout features have been set to 15 minutes or less.
• Passwords are protected with strong cryptography during transmission and storage.

Exact Language / Guidance:

• PCI DSS Framework

NIST 800-53 (Moderate Baseline)

Minimum Requirement / Recommended Controls:

• A minimum of eight characters and a maximum length of at least 64 characters.
• The ability to use all special characters but no special requirements to use them.
• Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa).
• Restrict context specific passwords (e.g. the name of the site, etc.).
• Restrict commonly used passwords (e.g. p@ssw0rd, etc.) and dictionary words.

Exact Language / Guidance:

• NIST 800-53 Framework

Share this article: