Specops Password Auditor provides support for the following standards:
NOTE
Specops Password Auditor will check against both the built-in Windows policies as well as those created with Specops Password Policy (with Specops Breached Password Protection).
For example, standards that require users not to use dictionary words (Disallow passwords from dictionary) will be marked as non-compliant if Specops Password Policy is not used, or if the policy in Specops Password Policy is not configured to satisfy the criterium.
The tables below show which compliance criteria require additional policy tools:
- *: Specops Password Policy
- **: Specops Breached Password Protection
NIST
Description
The National Institute of Standards and Technology (NIST) sets the information security standards for federal agencies in the United States.
With a heavy emphasis on simplifying passwords for users, and placing the burden on authentication systems, dictionary enforcement is an important component to NIST recommendations.
With
Specops Password Policy, you can create your own dictionary to block words common to your organization or use Breached Password Protection to block the use of over 3 billion compromised passwords.
Nist rules
Rule
|
Value
|
Minimum length
|
8
|
Disallow passwords from dictionary* |
Yes
|
Disallow compromised passwords** |
Yes
|
Disallow incremental passwords* |
Yes
|
PCI V4
Description
Payment Card Industry Data Security Standards (PCI DSS) is a set of standards and guidelines for companies to manage and secure credit card related personal data. It’s a global standard established by the major credit card companies – Visa,
Mastercard, and American in an effort to protect credit card data from theft.
The PCI-DSS requirements are heavily focused around the makeup of passwords, and can be easily achieved with a third-party password policy tool, such as
Specops Password Policy.
If you wish to protect against modern password attacks, you can make use of
Specops Password Policy’s custom dictionary to prevent the use of passwords common to your organization. With
Specops Breached Password Protection, you can block the use of over 3 billion compromised passwords.
PCI rules
Rule
|
Value
|
Minimum length
|
7
|
Maximum age
|
90 days
|
Use passphrase* |
Yes
|
Password history
|
4
|
Complexity
|
Digit, Lower
|
CJIS
Description
The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI) — for example,
fingerprint records and criminal histories.
Law enforcement and other government agencies in the United States must ensure that their use of cloud services for the transmission, storage, or processing of CJI complies with the CJIS Security Policy, which establishes minimum security
requirements and controls to safeguard CJI.
The CJIS Security Policy outlines two sets of password standards – Basic and Advanced. The report here shows how password policies compare against the Basic standard.
CJIS rules
Rule
|
Value
|
Minimum length
|
8
|
Minimum age
|
90 days
|
Disallow passwords from dictionary* |
Yes
|
Disallow compromised passwords** |
Yes
|
Password history
|
10
|
Disallow incremental passwords* |
Yes
|
HITRUST
Description
The Health Information Trust (HITRUST) is a framework that provides a way to comply with the often vague standards that apply to the healthcare industry in the United States, such as the Health Insurance Portability and Accountability Act
(HIPAA).
HITRUST rules
Rule
|
Value
|
Minimum length
|
8
|
Maximum age
|
90 days
|
Disallow passwords from dictionary* |
Yes
|
Disallow compromised passwords** |
Yes
|
Password history
|
4
|
Disallow incremental passwords* |
Yes
|
Complexity
|
2 of Digit, lower, special
|
NCSC
Description
The National Cyber Security Centre (NCSC) is an organization of the UK government whose approved accreditation scheme, Cyber Essentials, provides a standardized baseline for cyber security policies, controls, and technologies.
With a heavy emphasis on simplifying passwords for users, and placing the burden on authentication systems, dictionary enforcement and encouraging the use of passphrases are important components of the UK standard.
With
Specops Password Policy, you can create your own dictionary to block words common to your organization or use Breached Password Protection to block the use of over 3 billion compromised passwords.
NCSC rules
Rule
|
Value
|
Minimum length
|
8
|
Use passphrase* |
Yes
|
Disallow passwords from dictionary* |
Yes
|
Disallow compriomised passwords** |
Yes
|
BSI
Description
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) is an agency responsible for information security for the German federal government.
The BSI is also the central certification body for IT systems. This means that any IT product or system that is to be used by the federal government, must meet the security standards of the BSI.
BSI rules
Rule
|
Value
|
Minimum length
|
8
|
Disallow passowords from dictionary* |
Yes
|
Disallow compromised passwords** |
Yes
|
Password history
|
4
|
Complexity
|
2 of Digit, Lower, Special, Upper
|
ANSSI
Description
The National Agency for the Security of Information Systems (ANSSI) is France's national authority charged with supporting and securing the development of digital technology.
The ANSSI security standard includes several password recommendations including checking against a list of known compromised passwords and encouraging the use of passphrases.
ANSSI rules
Rule
|
Value
|
Minimum length
|
15
|
Use passphrase* |
Yes
|
Disallow passwords from dictionary* |
Yes
|
Disallow compromised passwords** |
Yes
|
Password history
|
4
|
Complexity
|
3 of Digit, Lower, Special, Upper
|
CNIL
Description
Data privacy has become a priority for global businesses due to sweeping regulations such as the General Data Protection Regulation (GDPR). At the same time, other regulatory bodies continue to enforce local data privacy laws. In France, for
example, the data protection authority is the Commission nationale de l’informatique et des libertés (CNIL).
The CNIL provides cybersecurity guidance related to collecting, storing, and using personal data. Naturally, securing passwords is an important part of the guidance.
CNIL rules
Rule
|
Value
|
Minimum length
|
12
|
Disallow compromised passwords** |
Yes
|
Complexity
|
Digit, Lower, Special, Upper
|