GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.5.9: Temporary Password Use

Control 3.5.9 requires organizations to allow temporary passwords for initial system logons while enforcing immediate changes to permanent passwords. This foundational access control prevents default credential exposure and reduces account compromise risk during the critical onboarding window.

What this means

Organizations must implement a technical and procedural mechanism that allows temporary passwords to be issued for new or reset user accounts, but forces users to change them to a unique, permanent password on their first login attempt. The system must not permit access to resources or data until this password change is completed.

How to comply

  1. 1.Configure identity and access management systems to generate random, single-use temporary passwords that expire after first use
  2. 2.Implement mandatory password change prompts that block all system access until a permanent password is created
  3. 3.Define password complexity requirements for permanent passwords (minimum length, character types, no dictionary words)
  4. 4.Log all temporary password issuances and forced password changes for audit trails
  5. 5.Set temporary password validity windows (typically 24-48 hours) with automatic expiration
  6. 6.Train administrators on issuing temporary passwords securely (encrypted email, separate delivery channels)
  7. 7.Document the temporary password policy in access control procedures and user onboarding workflows

Evidence auditors look for

  • System-generated temporary password logs showing issuance timestamps and user accounts
  • Access control policy documentation requiring password change on first login
  • Identity management system configuration screenshots showing forced password change enforcement
  • User onboarding checklists confirming temporary-to-permanent password transition
  • Authentication logs demonstrating failed access attempts until permanent password is set
  • Security audit reports validating temporary password expiration and change enforcement

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates temporary password lifecycle management and validates forced password change enforcement across your identity systems, eliminating manual verification of first-login password resets.

See how GRCWatch handles this control automatically

Start free trial

Related controls

NIST 800-171 3.5.1 (Password Strength)NIST 800-171 3.5.2 (Password Change)NIST 800-171 3.5.10 (Password Manager Use)NIST 800-171 3.2.1 (System Access Authorization)