OktaOverview
This control looks for password policies that do not require at least a length of 14 characters, one lowercase letter, one uppercase letter, one numeric character, one symbol, and that allows password reuse.
Remediation guidance
Go to the Authenticators page and Edit the Password authenticator.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
There are no weak password policies
Connectors
Okta
Covered asset types
PasswordPolicy
Expected check: eq []
passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}
