3.5.9 — Change Temp Passwords Immediately

The One-Liner

If a new hire can keep the temporary password IT gave them for months, your onboarding has a security gap.

What It Says

Allow temporary password use for system logons with an immediate change to a permanent password.

What It Actually Means

Every temporary password — for new accounts, password resets, unlocked accounts — must be changed on first login. The system forces it, it’s not optional.

Why: temp passwords are often simpler (IT needs to communicate them), known by the IT person who set them, and sometimes shared via insecure channels. They’re meant to be replaced immediately.

Three things to get right:

1. Forced change on first login — the ‘User must change password at next logon’ flag is set
2. Secure delivery — temp passwords aren’t emailed in plain text
3. Short expiry — if the user doesn’t log in within 24 hours, the temp password expires

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is temporary password use allowed only with an immediate change to a permanent password?	System forces password change on first login — ‘must change at next logon’ flag set

---

What to Have Ready on Assessment Day

Documents they’ll review: Identification and authentication policy; procedures addressing authenticator management; system security plan; system configuration settings

People they’ll talk to: Personnel with account management responsibilities; personnel with information security responsibilities

Live demos they’ll ask for: Mechanisms implementing temporary password management

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Walk me through creating a new user account. Is the ‘must change at next logon’ flag set?”
• “How do you deliver temporary passwords to users? Is it secure?”
• “What happens if a temp password isn’t used within 24 hours?”
• “Show me a recently created account — was the password changed on first login?”

Real-World Example

A contractor’s new hire process: IT creates the Entra ID account with ‘User must change password at next logon’ checked. The temporary password is delivered via a separate secure channel (IT gives it verbally during onboarding or via an encrypted message). If the account isn’t activated within 24 hours, a scheduled task disables it and alerts IT. The assessor checks a recent new hire — the Entra audit log shows ‘User changed password’ within the first hour of account creation.

---

Where Companies Trip Up

No forced change flag. Account created without ‘must change at next logon’ — user keeps the temp password indefinitely.

Temp passwords emailed in plain text. IT sends ‘Your password is TempPass123!’ in an email. Use a secure delivery method — verbal, encrypted message, or secure portal.

No expiry on unused temp passwords. A temp password set for a new hire who doesn’t start for two weeks sits active and vulnerable. Set a 24-hour expiry.

---

How to Talk About This

To a CEO or Board

Every temporary password is changed on first login, delivered securely, and expires if not used within 24 hours.

To an Engineering Team

‘Must change at next logon’ on all new accounts and resets. Temp passwords via secure channel (verbal or encrypted). 24-hour expiry via scheduled task. Entra audit log confirms password change on first login.

---

Connected Requirements

Requirement	Why it matters here
3.5.7 — Password Rules	The permanent password must meet complexity requirements
3.5.10 — Never Plain Text	Temp passwords must also be protected during delivery

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: IA.L2-3.5.9 | SPRS Weight: 1 point | POA&M Eligible: Yes