Strong password rules are technically enforced, not just recommended.
What it actually means
Password length/complexity requirements have to be enforced by the system (your identity provider), not left to good intentions. Align to current NIST guidance — length matters more than arbitrary symbol rules.
Pass or fail — an assessor needs a "yes" to each
- Minimum complexity/length is technically enforced.
- A change of characters is required when new passwords are set.
What to have ready
- Password policy configuration in the identity provider
- Documented standard aligned to NIST guidance
Where teams trip up
- A written policy with no technical enforcement
- Conflicting rules across systems
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →