8.4 Document and communicate authentication procedures and policies to all users including:
• Guidance on selecting strong authentication credentials
• Guidance for how users should protect their authentication credentials
• Instructions not to reuse previously used passwords
• Instructions to change passwords if there is any suspicion the password could be compromised.
8.4.a Examine procedures and interview personnel to verify that authentication procedures and policies are distributed to all users.
8.4.b Review authentication procedures and policies that are distributed to users and verify they include:
• Guidance on selecting strong authentication credentials
• Guidance for how users should protect their authentication credentials.
• Instructions for users not to reuse previously used passwords
• Instructions to change passwords if there is any suspicion the password could be compromised.
8.4.c Interview a sample of users to verify that they are familiar with authentication procedures and policies.
Communicating password/authentication procedures to all users helps those users understand and abide by the policies.
For example, guidance on selecting strong passwords may include suggestions to help personnel select hard-to-guess passwords that don’t contain dictionary words, and that don’t contain information about the user (such as the user ID, names of family members, date of birth, etc.). Guidance for protecting authentication credentials may include not writing down passwords or saving them in insecure files, and being alert for malicious individuals who may attempt to exploit their passwords (for example, by calling an employee and asking for their password so the caller can “troubleshoot a problem”).
Instructing users to change passwords if there is a chance the password is no longer secure can prevent malicious users from using a legitimate password to gain unauthorized access.