NIST 800-171 Control 3.5.10: Cryptographically Protected Passwords
Password security is foundational to any defense strategy, yet many organizations still transmit or store passwords in plain text. NIST SP 800-171 control 3.5.10 requires that all passwords be cryptographically protected both at rest and in transit. This control directly prevents unauthorized access and insider threats by ensuring credentials cannot be compromised even if systems are breached.
What this means
Control 3.5.10 mandates that organizations must never store passwords in plain text or transmit them over unencrypted channels. All passwords must be protected using cryptographic algorithms (typically hashing with salting for storage, and TLS/SSL for transmission). This applies to user passwords, service account credentials, and any authentication secrets managed by your systems.
How to comply
- 1.Implement strong cryptographic hashing algorithms (SHA-256 or stronger) with unique salts for all stored passwords
- 2.Enforce TLS 1.2 or higher encryption for all password transmission between clients and servers
- 3.Deploy password managers or secrets vaults to centralize and encrypt credential storage
- 4.Configure all authentication systems (directory services, applications, APIs) to hash passwords before storage
- 5.Disable any legacy authentication protocols that transmit credentials unencrypted (HTTP, Telnet, unencrypted LDAP)
- 6.Audit and remediate any plaintext password instances in configuration files, databases, or logs
- 7.Establish policies requiring password encryption for all backup and archival systems
- 8.Conduct regular penetration testing to verify passwords cannot be extracted from stored or transmitted forms
Evidence auditors look for
- Active Directory or LDAP configuration showing password hashing enabled with strong algorithms
- TLS certificate inventory and configuration audit logs for all authentication endpoints
- Password manager implementation records (e.g., HashiCorp Vault, CyberArk, 1Password)
- Application server logs showing encrypted password storage mechanisms in use
- Network traffic analysis confirming all password transmission occurs over encrypted channels
- Database schema documentation showing password fields configured with cryptographic functions
- Policy documentation on password handling, encryption requirements, and cryptographic standards
- Vulnerability scan results confirming no plaintext password instances in systems or backups
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers unencrypted password storage and transmission across your infrastructure, audits cryptographic configurations against NIST standards, and generates compliance evidence—eliminating manual password security reviews.
See how GRCWatch handles this control automatically
Start free trial