Skip to content

M1027 Password Policies

Set and enforce secure password policies for accounts.

Item Value
ID M1027
Version 1.0
Created 06 June 2019
Last Modified 21 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1110 Brute Force Refer to NIST guidelines when creating password policies.5
enterprise T1110.001 Password Guessing Refer to NIST guidelines when creating password policies. 5
enterprise T1110.002 Password Cracking Refer to NIST guidelines when creating password policies. 5
enterprise T1110.003 Password Spraying Refer to NIST guidelines when creating password policies. 5
enterprise T1110.004 Credential Stuffing Refer to NIST guidelines when creating password policies. 5
enterprise T1555 Credentials from Password Stores The password for the user’s login keychain can be changed from the user’s login password. This increases the complexity for an adversary because they need to know an additional password.
enterprise T1555.001 Keychain The password for the user’s login keychain can be changed from the user’s login password. This increases the complexity for an adversary because they need to know an additional password.
enterprise T1555.003 Credentials from Web Browsers Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.
enterprise T1555.005 Password Managers Refer to NIST guidelines when creating password policies for master passwords.5
enterprise T1187 Forced Authentication Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.
enterprise T1556 Modify Authentication Process Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.4
enterprise T1556.005 Reversible Encryption Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.4
enterprise T1601 Modify System Image Refer to NIST guidelines when creating password policies. 5
enterprise T1601.001 Patch System Image Refer to NIST guidelines when creating password policies. 5
enterprise T1601.002 Downgrade System Image Refer to NIST guidelines when creating password policies. 5
enterprise T1599 Network Boundary Bridging Refer to NIST guidelines when creating password policies. 5
enterprise T1599.001 Network Address Translation Traversal Refer to NIST guidelines when creating password policies. 5
enterprise T1003 OS Credential Dumping Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1003.001 LSASS Memory Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1003.002 Security Account Manager Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1003.003 NTDS Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1003.004 LSA Secrets Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1003.005 Cached Domain Credentials Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1003.006 DCSync Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1003.007 Proc Filesystem Ensure that root accounts have complex, unique passwords across all systems on the network.
enterprise T1003.008 /etc/passwd and /etc/shadow Ensure that root accounts have complex, unique passwords across all systems on the network.
enterprise T1201 Password Policy Discovery Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. 3
enterprise T1563 Remote Service Session Hijacking -
enterprise T1563.001 SSH Hijacking Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.
enterprise T1072 Software Deployment Tools Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.
enterprise T1558 Steal or Forge Kerberos Tickets Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.1 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.1
enterprise T1558.002 Silver Ticket Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.1 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.1
enterprise T1558.003 Kerberoasting Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.1 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.1
enterprise T1558.004 AS-REP Roasting Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting. 1
enterprise T1537 Transfer Data to Cloud Account Consider rotating access keys within a certain number of days to reduce the effectiveness of stolen credentials.
enterprise T1552 Unsecured Credentials Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.
enterprise T1552.001 Credentials In Files Establish an organizational policy that prohibits password storage in files.
enterprise T1552.002 Credentials in Registry Do not store credentials within the Registry.
enterprise T1552.004 Private Keys Use strong passphrases for private keys to make cracking difficult.
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.003 Pass the Ticket Ensure that local administrator accounts have complex, unique passwords.
enterprise T1078 Valid Accounts Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.2 When possible, applications that use SSH keys should be updated periodically and properly secured.
enterprise T1078.001 Default Accounts Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. 2
enterprise T1078.003 Local Accounts Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
enterprise T1078.004 Cloud Accounts Ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Cloud service providers may track access key age to help audit and identify keys that may need to be rotated.6

References