PCI Requirement 8.2.6 – Set Passwords/Passphrases for First-Time Use and Upon Reset to a Unique Value for Each and Change Immediately After First Use

by Randy Bartels / December 21st, 2017

Unique Value for First-Time Use and Resets

PCI Requirement 8.2.6 states, “Set passwords/passphrases for first-time use and upon reset to a unique value for each and change immediately after first use.” There are two elements to PCI Requirement 8.2.6 compliance. First, whenever a new account is being set up or reset, it needs to be given a unique value. Why? The PCI DSS explains, “If the same password is used for every new user, an internal user, former employee, or malicious individual may know or easily discover this password, and use it to gain access to account.”

The second step is to immediately change the password after the first use. Consider this scenario: a member of administrative staff has set the password for a new account and has provided the password to the end-user. Now, two people know that password. This is why PCI Requirement 8.2.6 requires users to immediately change the password after the first use.

During an assessment, your organization’s password procedures will be examined and security personnel should be observed to ensure that passwords/passphrases for first-time use and upon reset have been set to a unique value.

When you’re setting a password for your staff in your environment, PCI Requirement 8.2.6 requires when you’re initially setting a password for the first time or if you’re resetting it, that password needs to be set to a unique value. It’s also required that the password be changed when it’s used for the first time. If I know, from an attacker’s perspective, that your infrastructure always sets the initial account password to “Password123,” then all I have to do is lock the account and then I know that password is going to be set to “Password123.” We look to see that passwords are set to a unique value.

When you have administrative staff set that password and provide the password to the end-user, there are now two people who know that password. So, we require that when the end-user logs into that system or uses that password for the very first time, the application requires them to reset the password.

From an assessment perspective, we look at the configurations of your systems to make sure it’s forcing those passwords to be reset when they’re first deployed or first used.