📘 Topic: Weak Passwords and Password Hygiene

Domain: D5 – Identity and Access Management
Tags: #cissp

---

🧾 Definition

Weak passwords remain one of the most common attack vectors. Password hygiene focuses on reducing guessability and increasing resistance to credential attacks through policy, user education, and technical controls.

---

🔑 Key Points

• Password length is generally more important than complexity alone.
• MFA should be required for privileged and high-risk access.
• Password policies should include lockout thresholds, history checks, and breach monitoring.
• Password managers help users avoid reuse and weak choices.

---

⚠️ CISSP Insight

• Technical controls alone are insufficient; user behavior and phishing resistance matter as much as policy.
• A strong password strategy is a practical defense against credential stuffing and guessing attacks.

---

⚔️ Key Difference / Trap

• Complexity vs length
  • Complexity helps, but length and uniqueness matter more
• Password policy is not the same as security awareness
  • Users still need training and verification controls

---

🏗️ Example

A user is required to use a long passphrase and MFA for remote access, reducing the risk of password cracking or reuse.

---

📚 References

• NIST SP 800-63B, Digital Identity Guidelines
• NIST SP 800-53, IA-5
• ISO/IEC 27001:2022, Annex A 5.16 and 5.17

---

🔁 Quick Recall

• Weak password = common attack path
• MFA + length + uniqueness = stronger defense