Password Policies

Set and enforce secure password policies for accounts.

ID: M0927
Security Controls: IEC 62443-3-3:2013 - SR 1.5, IEC 62443-4-2:2019 - CR 1.5, NIST SP 800-53 Rev. 5 - IA-5
Version: 1.0
Created: 06 June 2019
Last Modified: 19 September 2023

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0892 Change Credential

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.[1]

ICS T0812 Default Credentials

Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices

ICS T0822 External Remote Services

Set and enforce secure password policies for accounts.

ICS T0886 Remote Services

Enforce strong password requirements to prevent password brute force methods for lateral movement.

ICS T0859 Valid Accounts

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. [1]

References