CMMC Practice IA.L2-3.5.7

Enforce a minimum password complexity and change of characters when new passwords are created.

Bold Coast Security Guidance

Common complexity requirements are to have an 8 character password which uses 3 of the 4 character groups (numbers, lowercase and uppercase letters, and symbols) and use at least 2 of each group. NIST guidance has evolved to suggesting the use of longer passwords, or passphrases, of 15 characters or more, but you do not have to change them as frequently. A hidden part of this practice is that when a user changes their password, the the password should be is suitably different than the original password. Since most systems store passwords in irreversible encryption (or a hash), the system can only tell if the password is exactly the same as it was before, or different. So you may have to make a policy and remind users through education that simply changing the last character from a 1 to a 2, and later to a 3, is NOT an acceptable password change, even if the system allows it.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.