129 – Validate previous passwords

Summary

The system must not allow password changes for a user if the new password matches one of the previous 5 passwords of the same user.

Description

This requirement aims to prevent password reuse, enhance security, and protect against the risks associated with compromised credentials. It is a measure to strengthen authentication practices within the system.

Supported In

Advanced: True

References

• MITRE-M1027. Password policies
• CMMC-IA_L2-3_5_7. Password complexity
• HITRUST-01_d. User password management
• IEC62443-IAC-1_7. Strength of password-based authentication
• MVSP-2_4. Application design controls - Password policy
• ASVS-2_1_10. Password security
• PCI-8_3_7. A previously used password cannot be used to gain access to an account
• SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
• CWE-521. Weak password requirements
• CASA-14_5_2. HTTP Request Header Validation

Last updated

2024/01/18