# NIST Password Logic Adapter (CISA CPG 1.2)

> Rewrite legacy password policies to prioritize length and entropy over complexity and aging, and draft the Compromised Password Detection Protocol. Aligns with NIST SP 800-63B and CISA CPG 1.2; validates that procedures include a recurring check against leaked-credential APIs (e.g. Have I Been Pwned).



Tags: Compliance, Security, Critical Infrastructure, CISA, NIST, Password, Identity


## Example Prompts

- Rewrite our password policy to drop forced resets and add breach-based checks for CPG 1.2
- Draft the procedure for checking passwords against Have I Been Pwned on a recurring schedule
- Validate our Compromised Password Detection procedure document for CPG 1.2 evidence

URL: https://rakenne.app/skills/nist-password-logic-adapter/index.md

Try this skill: https://rakenne.app/a/?skill=nist-password-logic-adapter



## Overview

Rewrite legacy password policies to prioritize length and entropy over complexity and aging, and draft the Compromised Password Detection Protocol. Aligns with NIST SP 800-63B and CISA CPG 1.2; validates that procedures include a recurring check against leaked-credential APIs (e.g. Have I Been Pwned).

## Example Conversation

> **You:** We need CPG 1.2 evidence for our hospital. Our current policy still has 90-day forced resets and complexity rules. Can you rewrite it to length and entropy, and draft the procedure for checking passwords against Have I Been Pwned?

> **Agent:** I'll (1) rewrite the policy to drop periodic resets and complexity in favor of minimum length and entropy, with intelligence-based resets when a credential is found in a breach; (2) draft the Compromised Password Detection Protocol—scope (e.g. all user accounts), frequency (e.g. weekly), use of HIBP k-anonymity API, and response (force reset + alert). Then I'll run `leaked_db_sync_verifier` on the procedure so we can fix any gaps before you submit evidence.

> **Agent:** I've updated the policy and created `compromised-password-detection-procedure.md`. Running `leaked_db_sync_verifier` on it now...

> **Agent:** Verifier result: all three criteria passed (recurring/scheduled check, leaked-credential API reference, technical process). The procedure describes a weekly automated job that hashes passwords with SHA-1, sends the 5-character prefix to the HIBP API (k-anonymity), and forces a reset when a suffix match is found. I've left a short "Evidence package" section at the end listing the revised policy, this procedure, and the verifier output for your assessors.

> **You:** Add a note that privileged accounts are in scope and checked daily.

> **Agent:** Updated the procedure with privileged-account scope and daily frequency for that population. Re-ran `leaked_db_sync_verifier` — still passes. Evidence package section updated.

## What the Tools Validate

The skill includes one extension tool:

**`leaked_db_sync_verifier`** checks a documented procedure for compromised-password detection against three CPG 1.2 expectations:

- **Input:** Path to a Markdown or text file containing the procedure (e.g. Compromised Password Detection Protocol).
- **Criteria:**
  1. **Recurring/scheduled check** — Document must mention a recurring or scheduled run (e.g. recurring, scheduled, periodic, cron, daily, weekly, automated, sync, interval, frequency). One-off audits do not satisfy CPG 1.2.
  2. **Leaked-credential API/DB** — Document must reference checking against known-leaked credentials (e.g. Have I Been Pwned, HIBP, pwned, k-anonymity, breach database, leaked credential, compromised credential).
  3. **Technical process described** — Document must describe how checks are performed (e.g. hash, SHA-1, k-anonymity, prefix/suffix, screening, scan).
- **Output:** For each criterion, [PASS] with matched terms or [MISSING] with guidance; then a short result line. Use after drafting the procedure and before finalizing CPG 1.2 evidence. Re-run after any procedure change.

## Output Excerpt

Condensed excerpts from a generated policy rewrite and detection procedure, plus the verifier report.

**Policy rewrite (excerpt):**

```markdown
## Password requirements (aligned with NIST SP 800-63B and CPG 1.2)

- **Minimum length:** 12 characters for standard accounts; 16+ or passphrase for privileged.
- **No forced periodic resets.** Resets are required only when: (1) credential is found in a known-leak check (see Compromised Password Detection Protocol), (2) suspected compromise or incident, (3) role change to higher privilege.
- **Strength:** Prefer passphrases; no arbitrary complexity rules (special characters, numbers) that encourage weak patterns.
- **Lockout:** Progressive delay after failed attempts; account recovery via secure process.
```

**Detection procedure (excerpt):**

```markdown
## Compromised Password Detection Protocol

- **Scope:** All user accounts in IdP; privileged accounts checked daily, standard weekly.
- **Frequency:** Weekly automated job (cron); privileged subset runs daily.
- **Method:** Passwords hashed (SHA-1); 5-character prefix sent to Have I Been Pwned Passwords API (k-anonymity); suffix compared locally. No plaintext leaves our environment.
- **Response:** Match → force password reset at next login, alert security team, log event.
- **Review:** Procedure reviewed quarterly; scope and frequency adjusted with risk assessment.
```

**Verifier report (excerpt):**

```
======================================================================
CPG 1.2 — Compromised Password Detection Protocol — Leaked-DB Sync Verifier
File: compromised-password-detection-procedure.md
======================================================================

[PASS] Recurring/scheduled check
    Found: scheduled, automated, daily, weekly, cron.

[PASS] Leaked-credential API/DB
    Found: have i been pwned, hibp, k-anonymity, api.

[PASS] Technical process described
    Found: hash, sha-1, prefix, suffix, k-anonymity.

Result: Document appears to describe a recurring check against leaked-credential APIs. Ensure procedure is tailored to the organization (e.g. scope, frequency, API choice) for CPG 1.2 evidence.
======================================================================
```

## Getting Started

Add your current password policy and any draft procedure to the project workspace, then activate the *NIST Password Logic Adapter (CISA CPG 1.2)* skill. The agent will guide you through rewriting policy (length/entropy over complexity/aging), drafting the detection procedure, and validating it with the verifier.


---

Back to [Skill Library](https://rakenne.app/skills/index.md)