IG1 IG2 IG3

Use Unique Passwords

Control Group: 5. Account Management

Asset Type: Users

Security Function: Protect

Description

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Identify systems requiring multi-factor authentication

7

Select and deploy MFA solution

8

Enroll users and distribute authentication factors

9

Test MFA across all identified systems

10

Define password complexity and length requirements

11

Implement credential management solution

12

Configure password policy enforcement in identity provider

Tool Recommendations

CyberArk Privileged Access Manager Gartner MQ Leader, PAM 2024

Privileged access management platform for securing, managing, and auditing privileged credentials and sessions

CyberArk · Per-user subscription

BeyondTrust Privilege Management Gartner MQ Leader, PAM 2024

Privileged access management with endpoint privilege management, secure remote access, and password vaulting

BeyondTrust · Per-user subscription

Delinea Secret Server Gartner MQ Leader, PAM 2024

Privileged access management with password vaulting, session recording, and just-in-time privilege elevation

Delinea · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Credential Stuffing Attacks Using Breached Passwords

Confidentiality

Attackers use credentials leaked from third-party breaches to access enterprise accounts where employees reused the same password across personal and work systems.

Password Spraying with Common Weak Passwords

Confidentiality

Attackers perform password spraying attacks using common passwords like 'Spring2026!' that meet basic complexity rules but are predictable, compromising multiple accounts simultaneously.

Offline Password Cracking of Stolen Hashes

Confidentiality

Attackers who obtain password hashes crack short or simple passwords rapidly using GPU-accelerated brute force or rainbow tables, gaining access to accounts with weak passwords.

Vulnerabilities (When Safeguard Absent)

Weak or Reused Passwords Across Enterprise Accounts

Without unique password requirements and minimum length enforcement, users choose weak, predictable, or previously compromised passwords that are easily guessed or cracked.

No Password Policy Enforcement Mechanism

Without technical controls enforcing password length and uniqueness requirements, users default to the shortest, simplest, most memorable passwords possible.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	MFA enrollment status and enforcement configuration	Reviewed monthly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Account and Credential Management Policy

Control 5, Control 6

Related Safeguards in Control 5

5.1 Establish and Maintain an Inventory of Accounts

5.3 Disable Dormant Accounts

5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts

5.5 Establish and Maintain an Inventory of Service Accounts

5.6 Centralize Account Management