Strong password policies are enforced at the identity provider, including breached-password checks
Weak passwords remain a primary attack vector. Short passwords, passwords reused from other breached services, and passwords that follow predictable patterns are cracked quickly in credential-stuffing and brute-force attacks. The most effective control is setting a minimum length of 12 or more characters, allowing passphrases, and blocking passwords that appear in known breach datasets. Enforcing this at the identity provider level means the policy applies regardless of which application a user is logging into.
Implementation steps
- 1
Configure minimum password length and complexity at the identity provider
Set the minimum password length to 12 characters or more. NIST SP 800-63B recommends prioritizing length over complexity rules that users find burdensome. Allow passphrases of multiple words. If complexity rules are used, require a mix of character types without forcing frequent rotation, which drives password reuse.
okta azure-ad google-workspace onelogin - 2
Enable breached-password detection
Configure your identity provider to check new or changed passwords against known breach databases such as Have I Been Pwned. Block any password that appears in breach lists regardless of whether it meets length requirements. This check prevents users from picking real-world leaked passwords that attackers specifically target in credential stuffing.
okta azure-ad-password-protection entra-id 1password-business - 3
Remove counterproductive password rotation requirements
Mandatory periodic rotation without a breach trigger causes users to make predictable incremental changes such as appending a number or changing a single character. Current guidance from NIST and CISA recommends against forced rotation except when a password is known or suspected compromised. Update your policy to reflect this and instead rely on breach-detection alerts to trigger resets.
okta azure-ad google-workspace
Evidence required
Identity provider password policy configuration
Evidence that minimum length and breached-password checks are enforced.
- - Okta or Azure AD password policy screenshot showing 12+ character minimum
- - Azure AD Password Protection configuration showing custom banned password list and breach checking
- - Identity provider audit log showing a password rejected for being in a breach list
Related controls
Multi-factor authentication is required for all user accounts
Account Security
Unique credentials are used and shared accounts are eliminated
Account Security
Privileged accounts are separated and access is minimized
Account Security
Credentials are revoked immediately on known or suspected compromise
Account Security