NIST 800-171 Control 3.5.9: Temporary Password Use
Control 3.5.9 requires organizations to allow temporary passwords for initial system logons while enforcing immediate changes to permanent passwords. This foundational access control prevents default credential exposure and reduces account compromise risk during the critical onboarding window.
What this means
Organizations must implement a technical and procedural mechanism that allows temporary passwords to be issued for new or reset user accounts, but forces users to change them to a unique, permanent password on their first login attempt. The system must not permit access to resources or data until this password change is completed.
How to comply
- 1.Configure identity and access management systems to generate random, single-use temporary passwords that expire after first use
- 2.Implement mandatory password change prompts that block all system access until a permanent password is created
- 3.Define password complexity requirements for permanent passwords (minimum length, character types, no dictionary words)
- 4.Log all temporary password issuances and forced password changes for audit trails
- 5.Set temporary password validity windows (typically 24-48 hours) with automatic expiration
- 6.Train administrators on issuing temporary passwords securely (encrypted email, separate delivery channels)
- 7.Document the temporary password policy in access control procedures and user onboarding workflows
Evidence auditors look for
- System-generated temporary password logs showing issuance timestamps and user accounts
- Access control policy documentation requiring password change on first login
- Identity management system configuration screenshots showing forced password change enforcement
- User onboarding checklists confirming temporary-to-permanent password transition
- Authentication logs demonstrating failed access attempts until permanent password is set
- Security audit reports validating temporary password expiration and change enforcement
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates temporary password lifecycle management and validates forced password change enforcement across your identity systems, eliminating manual verification of first-login password resets.
See how GRCWatch handles this control automatically
Start free trial