Browse Skills

NIST Password Logic Adapter (CISA CPG 1.2)

    Compliance Security Critical Infrastructure CISA NIST Password Identity
    Get Started with This Skill

    Overview

    Rewrite legacy password policies to prioritize length and entropy over complexity and aging, and draft the Compromised Password Detection Protocol. Aligns with NIST SP 800-63B and CISA CPG 1.2; validates that procedures include a recurring check against leaked-credential APIs (e.g. Have I Been Pwned).

    Example Conversation

    You: We need CPG 1.2 evidence for our hospital. Our current policy still has 90-day forced resets and complexity rules. Can you rewrite it to length and entropy, and draft the procedure for checking passwords against Have I Been Pwned?

    Agent: I’ll (1) rewrite the policy to drop periodic resets and complexity in favor of minimum length and entropy, with intelligence-based resets when a credential is found in a breach; (2) draft the Compromised Password Detection Protocol—scope (e.g. all user accounts), frequency (e.g. weekly), use of HIBP k-anonymity API, and response (force reset + alert). Then I’ll run leaked_db_sync_verifier on the procedure so we can fix any gaps before you submit evidence.

    Agent: I’ve updated the policy and created compromised-password-detection-procedure.md. Running leaked_db_sync_verifier on it now…

    Agent: Verifier result: all three criteria passed (recurring/scheduled check, leaked-credential API reference, technical process). The procedure describes a weekly automated job that hashes passwords with SHA-1, sends the 5-character prefix to the HIBP API (k-anonymity), and forces a reset when a suffix match is found. I’ve left a short “Evidence package” section at the end listing the revised policy, this procedure, and the verifier output for your assessors.

    You: Add a note that privileged accounts are in scope and checked daily.

    Agent: Updated the procedure with privileged-account scope and daily frequency for that population. Re-ran leaked_db_sync_verifier — still passes. Evidence package section updated.

    What the Tools Validate

    The skill includes one extension tool:

    leaked_db_sync_verifier checks a documented procedure for compromised-password detection against three CPG 1.2 expectations:

    • Input: Path to a Markdown or text file containing the procedure (e.g. Compromised Password Detection Protocol).
    • Criteria:
      1. Recurring/scheduled check — Document must mention a recurring or scheduled run (e.g. recurring, scheduled, periodic, cron, daily, weekly, automated, sync, interval, frequency). One-off audits do not satisfy CPG 1.2.
      2. Leaked-credential API/DB — Document must reference checking against known-leaked credentials (e.g. Have I Been Pwned, HIBP, pwned, k-anonymity, breach database, leaked credential, compromised credential).
      3. Technical process described — Document must describe how checks are performed (e.g. hash, SHA-1, k-anonymity, prefix/suffix, screening, scan).
    • Output: For each criterion, [PASS] with matched terms or [MISSING] with guidance; then a short result line. Use after drafting the procedure and before finalizing CPG 1.2 evidence. Re-run after any procedure change.

    Output Excerpt

    Condensed excerpts from a generated policy rewrite and detection procedure, plus the verifier report.

    Policy rewrite (excerpt):

    ## Password requirements (aligned with NIST SP 800-63B and CPG 1.2)

- **Minimum length:** 12 characters for standard accounts; 16+ or passphrase for privileged.
- **No forced periodic resets.** Resets are required only when: (1) credential is found in a known-leak check (see Compromised Password Detection Protocol), (2) suspected compromise or incident, (3) role change to higher privilege.
- **Strength:** Prefer passphrases; no arbitrary complexity rules (special characters, numbers) that encourage weak patterns.
- **Lockout:** Progressive delay after failed attempts; account recovery via secure process.

    Detection procedure (excerpt):

    ## Compromised Password Detection Protocol

- **Scope:** All user accounts in IdP; privileged accounts checked daily, standard weekly.
- **Frequency:** Weekly automated job (cron); privileged subset runs daily.
- **Method:** Passwords hashed (SHA-1); 5-character prefix sent to Have I Been Pwned Passwords API (k-anonymity); suffix compared locally. No plaintext leaves our environment.
- **Response:** Match → force password reset at next login, alert security team, log event.
- **Review:** Procedure reviewed quarterly; scope and frequency adjusted with risk assessment.

    Verifier report (excerpt):

    ======================================================================
CPG 1.2 — Compromised Password Detection Protocol — Leaked-DB Sync Verifier
File: compromised-password-detection-procedure.md
======================================================================

[PASS] Recurring/scheduled check
    Found: scheduled, automated, daily, weekly, cron.

[PASS] Leaked-credential API/DB
    Found: have i been pwned, hibp, k-anonymity, api.

[PASS] Technical process described
    Found: hash, sha-1, prefix, suffix, k-anonymity.

Result: Document appears to describe a recurring check against leaked-credential APIs. Ensure procedure is tailored to the organization (e.g. scope, frequency, API choice) for CPG 1.2 evidence.
======================================================================

    Getting Started

    Add your current password policy and any draft procedure to the project workspace, then activate the NIST Password Logic Adapter (CISA CPG 1.2) skill. The agent will guide you through rewriting policy (length/entropy over complexity/aging), drafting the detection procedure, and validating it with the verifier.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started