DoD information system access is gained through the presentation of an individual identifier (e.g., a unique token or user logon ID) and password. For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive, 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!). At least four characters must be changed when a new password is created. Deployed/tactical systems with limited data input capabilities implement these measures to the extent possible. Registration to receive a user ID and password includes authorization by a supervisor, and is done in person before a designated registration authority. Multiple forms of certification of individual identification such as a documentary evidence or a combination of documents and biometrics are presented to the registration authority. Additionally, to the extent capabilities permit, system mechanisms are implemented to enforce automatic expiration of passwords and to prevent password reuse, and processes are in place to validate that passwords are sufficiently strong to resist cracking and other attacks intended to discover a user's password). All factory set, default or standard-user IDs and passwords are removed or changed. Authenticators are protected commensurate with the classification or sensitivity of the information accessed; they are not shared; and they are not embedded in access scripts or stored on function keys. Passwords are encrypted both for storage and for transmission.
|MAC / CONF||Impact||Subject Area|
|CLASSIFIED||High||Identification and Authentication|
|Access to DoD information sytems must be protected commensurate with the sensitivity of the information the systems process. For this reason it is mandatory that each individual who is authorized access to DoD information systems be provided with a unique individual identifier in the form of either a DoD PKI certificate, CAC card, or username and password. Failure to require an individual I&A mechanism leaves DoD information resources vulnerable to theft, exploitation, unauthorized modification, or destruction.|
| This implementation guidance is designed for use by Information Assurance Managers, System Administrators, or individual Subject Matter Experts (SMEs) tasked with implementation of I&A mechanisms. The following general implementation guidelines apply: |
1. To ensure compliance with (DoD PKI policy), DoD PKI is to be the primary mechanism of individual identification and authentication for all DoD systems wherever possible. For DoD PKI infrastructure implementation guidance, refer to DoDI 8520.2, Enclosure 3 (01 Apr 04).
2. For systems that have not yet implemented, or are unable to implement DoD PKI, ensure that individual user accounts are set up in accordance with guidance provided in implementation guidance for IAAC-1 and ECLP-1.
3. When setting up user accounts on workstations, servers, databases, or individual applications, system administrators shall set password configuration parameters to ensure that password structure conforms to the following standards:
· Passwords must be a minimum of eight (8) characters in length.
· Passwords must contain a case-sensitive mixture of letters, digits, and special characters (e.g., punctuation marks, etc.) such as the example (emPagd2!).
· Whenever a password is changed (by the user or system administrator), at least four characters must be changed from the previous password (e.g., [emPagd2!] becomes [0LP&gd2?]).
· Password aging must be enabled to ensure that passwords must be changed at least every ninety (90) days for classified and SBU systems and no more frequently than every seven (7) days for both types of system.
· System administrators shall configure system accounts to maintain a password history for a period of at least one (1) year. Additionally, users shall not be allowed to use any of their ten (10) previously used passwords.
4. Ensure that the process for registering new users on the system and providing user ID and password conform to practices outlined in IAAC-1.
5. System Administrators (or other SMEs involved in Independent Verification and Validation of password features) shall test the robustness of user passwords on systems processing classified or SBU information by employing a DoD-approved password policy enforcement tool (e.g., Anixis PPE).
6. System Administrators are to ensure that all default, factory-set, or standard-user accounts and associated default passwords are disabled and, to the extent that the OS or application permits, removed completely. Refer to OS, system, or application-specific STIGs, configuration standards, or vendor’s configuration guidance for specific steps on how do disable and/or remove default user accounts, IDs, and passwords.
7. Authenticators/user IDs/passwords shall be protected in the following manner:
· Access to system files containing user account information and passwords shall be restricted to system administrators
· Files containing authenticator information shall be classified at the level of information for which the accounts and passwords are assigned to protect.
· Passwords shall be shadowed. If password characters display in clear text while being entered into the password acceptance field, check the configuration of the application to ensure that the shadowing feature is enabled.
· System security policy, rules of behavior, or other applicable system user policy shall be written in a manner that specifically prohibits the sharing of passwords among users.
· Review any and all scripts used for automated boot processes or application access shall be reviewed to ensure that they contain no password automation or access features.
8. User passwords shall be encrypted, both at rest and in transit through the network using robust (i.e., 128-bit or stronger) encryption through a DoD-approved algorithm (e.g., RC4, RC5, IDEA, Blowfish) and through such robust means of secure transit as SSH and SSL-3.