03.05.07 — (a) Maintain a list of commonly-used, expected, or compromised passwords, and update the list {{ insert: param, A.03.05.07.ODP.01 }} and when organizational passwords are suspected to have been compromised. (b) Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords. (c) Transmit passwords only over cryptographically protected channels. (d) Store passwords in a cryptographically protected form. (e) Select a new password upon first use after account recovery. (f) Enforce the following composition and complexity rules for passwords: {{ insert: param, A.03.05.07.ODP.02 }}.

What this control requires

(a) Maintain a list of commonly-used, expected, or compromised passwords, and update the list {{ insert: param, A.03.05.07.ODP.01 }} and when organizational passwords are suspected to have been compromised. (b) Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords. (c) Transmit passwords only over cryptographically protected channels. (d) Store passwords in a cryptographically protected form. (e) Select a new password upon first use after account recovery. (f) Enforce the following composition and complexity rules for passwords: {{ insert: param, A.03.05.07.ODP.02 }}.

Source: NIST SP 800-171 R3 §03.05.07 (official control text).

Why this matters

Weak or compromised passwords are the most common entry point for unauthorized access to systems and data. Attackers use automated tools that test millions of previously breached passwords, dictionary words, and predictable patterns against login pages. This control ensures the organization maintains a blocklist of known-bad passwords, enforces baseline complexity requirements, and protects passwords both in transit and at rest through cryptographic methods. When implemented properly, password management defends against credential stuffing attacks, brute force attempts, and password reuse from other breached services. It also forces users to create stronger initial passwords after account recovery rather than relying on temporary credentials that might be intercepted.

What evidence assessors expect

Assessors typically look for: screenshot, PDF, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls