Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Password Security · Download

Password Compliance Checklist

A cross-framework checklist for confirming password practices align with HIPAA, PCI DSS, and general NIST-based expectations.

IT KORR Knowledge Center

Password Compliance Checklist

A cross-framework checklist for confirming password practices align with HIPAA, PCI DSS, and general NIST-based expectations.

General (All Organizations)

  • Written, dated password policy exists with a named owner.
  • MFA enforced for all users.
  • Breached-password screening enabled.
  • Minimum password length of at least 12 characters.

HIPAA-Specific

  • Unique user IDs enforced on all systems accessing ePHI — no shared logins.
  • Password/authentication approach documented as part of the formal risk analysis.
  • Automatic logoff configured on shared clinical workstations.
  • Authentication events logged as part of audit controls.

PCI DSS-Specific

  • Minimum 12-character length enforced on all cardholder data environment (CDE) systems.
  • MFA enforced for all CDE access and all remote network access.
  • Password change frequency set via a documented targeted risk analysis.
  • All vendor default credentials changed before production use.
  • Account lockout and password history configured per Requirement 8.

Disclaimer

This checklist is an educational starting point, not a compliance determination. Confirm current requirements with a qualified compliance advisor or Qualified Security Assessor before relying on it for an actual assessment.

Related Resources

  • HIPAA Password Guidance — /knowledge-center/cybersecurity/password-security/hipaa-password-guidance
  • PCI DSS Password Guidance — /knowledge-center/cybersecurity/password-security/pci-dss-password-guidance
  • Compliance Readiness Assessment — /tools/compliance-readiness-assessment

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Password Security Hub for the reasoning behind each recommendation, or use the Password Policy Generator for a fully configurable policy document.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT