Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IA.L2-3.5.7 – Enforce a minimum password complexity and change of characters when new passwords are created.
Understanding the Requirement
This control (from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires organizations to define concrete password complexity rules and ensure users cannot set new passwords that are too similar to previous ones. Practically that means documenting the minimum length and character-set requirements (uppercase, lowercase, digits, special characters), defining how different a new password must be compared to an old one, and configuring systems so those rules are enforced at account creation and password change. The goal is to raise the effort required for password-guessing and credential-stuffing attacks by making weak and trivially modified passwords unacceptable.
Technical Implementation
-
Define and document your policy: set a minimum length (recommend 12 characters for SMBs), require a mix of uppercase, lowercase, digits and special characters, and specify a minimum number of changed characters (for example, at least four characters different from the previous password). Record this in your information security policy so helpdesk and audit staff have a single source of truth.
-
Enforce in Active Directory (on-prem): use Group Policy for domain-joined systems (Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy). Configure "Minimum password length," enable "Password must meet complexity requirements," and set "Enforce password history" to prevent reuse. For character-change enforcement where AD lacks native support, use a supported password filter or third-party tool that enforces minimum character differences between old and new passwords.
-
Enforce on cloud identities and endpoints: for Azure AD-backed SMBs, enable Azure AD password protection to block common and banned passwords and configure conditional access and MFA. For managed endpoints, use Microsoft Intune / Endpoint Manager to push local password policies (Configuration profiles) and ensure mobile devices and laptops comply with the complexity rules.
-
Use banned-password lists and password history together: combine a custom banned list (common words, company name, patterns) with a history of at least 12–24 previously used passwords to force genuinely new choices. This provides practical resistance to slightly modified reused passwords when strict “change X characters” enforcement isn’t available.
-
Operational controls: update helpdesk procedures to validate user identity when resetting passwords, log password-change events centrally (SIEM or Windows Event logs), and regularly test policy enforcement by attempting controlled password changes. Document exceptions and approval workflows for service accounts where automated changes may be needed.
</ul>Example in a Small or Medium Business
A 60-person engineering firm centralizes identity on Active Directory and uses Intune for laptops. IT drafts a password policy requiring 12 characters with upper/lowercase letters, digits and symbols and sets "Enforce password history" to 24 entries in Group Policy. They deploy a vetted password filter on their domain controllers to require at least four characters different from the prior password. When a project manager forgets their password and requests a reset, the helpdesk authenticates the request, issues a temporary reset link, and the manager must set a new password that meets the complexity and “changed characters” rule. Initially the manager attempts to reuse the previous pattern with minor edits and the system blocks it; after choosing a compliant passphrase the change succeeds. IT reviews password-change logs monthly to confirm the policy is applied and adjusts the banned-password list to add newly observed weak patterns. Over time the combination of the policy, technical enforcement, and helpdesk checks reduces account-based incidents and meets audit checks for the control.
Summary
Defining a clear password policy and enforcing it technically across domain, cloud, and endpoint systems ensures new passwords meet minimum complexity and meaningful differences from prior passwords. For SMBs this means documenting requirements, using Group Policy/Endpoint Manager or cloud controls to enforce length and complexity, combining password history and banned lists, and adding a password filter or third-party tool where character-difference enforcement is required. Coupled with operational practices (helpdesk validation and logging), these measures make password attacks more difficult and demonstrate practical compliance with the control.
