Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication.
Examples of situations where a user ID and password might be used include but are not limited to:
- When the application user base does not have a CAC and is not a current DoD employee, member of the military, or a DoD contractor.
- When an application user has been officially designated as a Temporary Exception User; one who is temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied.
and
- When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet password policy requirements, passwords need to be changed at specific policy-based intervals.
If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. |