The FBI’s CJIS Security Policy version 6.0 introduces stronger requirements for password protection to help law enforcement agencies combat credential-based threats. In particular, CJIS v6.0 emphasizes preventing the use of compromised passwords and continuous monitoring of credentials to ensure they haven’t been exposed in breaches. Cybersecurity teams responsible for CJIS compliance must now maintain a dynamic “banned password” list, check new passwords against known breached or common credentials, and promptly remediate any compromised accounts. This post explores the specific CJIS v6.0 password requirements and explains how Enzoic’s tools directly help agencies meet them in a practical, automated way.
CJIS v6.0 aligns with modern best practices (such as NIST SP 800-63B guidelines) by moving away from strict composition rules and frequent password changes, and instead focusing on known compromised credentials. The policy mandates a set of controls for passwords (referred to as “memorized secret authenticators” in the text) aimed at mitigating the risk of breached passwords. Key requirements include:
Each of these controls poses practical challenges. Maintaining an up-to-date list of billions of known breached passwords and common variants is difficult without external data sources. Checking every new password against such a list in real time requires efficient tooling. Continuously monitoring for credential exposure demands access to fresh breach intelligence on a near-daily basis. This is where Enzoic comes in. Enzoic’s compromised credential screening solutions are purpose-built to fulfill these requirements, making it much easier for agencies to comply with CJIS v6.0’s password standards.
CJIS v6.0 explicitly allows using third-party services or feeds to maintain the banned password list, and Enzoic provides exactly that. Enzoic’s platform includes a comprehensive and continuously updated database of compromised passwords, drawn from countless data breaches and leak corpuses. Instead of an agency manually curating and updating a list every quarter, Enzoic delivers this as a constantly refreshed feed. Enzoic’s compromised password database is updated in near real-time as new breaches occur, far exceeding the CJIS requirement to update the list at least quarterly. This ensures your banned password list is always current with the latest known compromised credentials and common password patterns.
Using Enzoic, security teams can obtain the banned password list via API or downloadable hash lists, aligning perfectly with the CJIS directive to maintain the list “via API or download from a third party”. Enzoic essentially offloads the heavy lifting of gathering breached password data. The list Enzoic provides isn’t static; it’s a living repository of unsafe passwords, including those identified in new breaches, frequently used passwords, dictionary words, and patterns (such as “Summer2023!” or “12345678”). Notably, CJIS guidance suggests that the banned list should include “passwords obtained from previous breach corpuses” – exactly the kind of data Enzoic specializes in. By integrating Enzoic, agencies can be confident their prohibited-password repository is both comprehensive and up-to-date, without dedicating internal resources to maintain it. This directly satisfies the CJIS requirement to keep an updated banned passwords list of common or compromised credentials.
Enzoic not only supplies the banned password list; it also makes enforcement seamless. The CJIS policy requires verifiers to check any new or changed password against the banned list and block it if it’s found. Enzoic’s technology is designed to automate this screening in real time. For example, Enzoic for Active Directory is a plug-in that intercepts password set and reset events in Microsoft Active Directory environments. When a user or administrator attempts to create or change an account password, Enzoic for Active Directory automatically checks the new password against Enzoic’s vast database of compromised and weak passwords. If the password is found in the database (indicating it is commonly used, exposed in a breach, or part of cracking dictionaries), the plugin prevents the change and notifies the user that the chosen password is not allowed. This fulfills the CJIS mandate to compare prospective passwords to the banned list and ensure users choose a different password if a match is identified. The policy’s instruction that “the subscriber… needs to select a different secret” is enforced by Enzoic’s tool automatically. Weak or compromised passwords are rejected on the spot, and the user must try an alternative.
For agencies not using Active Directory, Enzoic’s APIs offer similar capabilities in any custom application or identity platform. Developers can call the API during user registration or password change workflows to instantly evaluate the password’s security against the “banned passwords” list. The response will indicate if the password is known to be compromised or too common, allowing the system to reject it in compliance with CJIS requirements. Enzoic’s checks are optimized for speed and privacy (using secure hash-based queries), so they add minimal friction for users. By integrating these checks, organizations create an automated gate that prevents any password on the disallowed list from ever being used, exactly as CJIS v6.0 expects. Importantly, Enzoic also provides context for administrators by reporting which rule triggered the block (e.g. the password was found in a breach dataset) in real-time as users type, aligning with CJIS’s recommendation to advise users why a password was rejected so they can make a better choice.
A standout aspect of CJIS v6.0 is the requirement to force password changes upon evidence of compromise. In practice, this means that even after a password has been accepted (i.e. it was not on the banned list at creation time), an agency must remain vigilant and react if that password later becomes compromised. Enzoic addresses this need through continuous credential monitoring.
Enzoic’s Credential Monitoring service keeps watch for your users’ credentials in newly disclosed breaches and password dumps. If an employee’s username or password (typically tracked via a hash) appears in Enzoic’s feed of fresh breach data, Enzoic can immediately alert your security team or identity management system. This proactive monitoring goes hand-in-hand with CJIS’s instruction to compare current passwords against the updated banned list on a regular basis. Instead of a manual quarterly audit, Enzoic performs checks in an automated, continuous fashion. The moment Enzoic’s intelligence detects that a password in your environment is now compromised, you have actionable information.
With Enzoic, organizations can automatically enforce password changes for affected accounts. For instance, in an Active Directory setup, Enzoic’s integration can flag the user account and prompt a password reset or set the account to require a new password at next login if the password is found in a breach. This directly enables compliance with the CJIS requirement that “verifiers shall force a change of [the] memorized secret if there is evidence of compromise”. Rather than waiting for an annual or ad-hoc review, the system responds in near-real-time to credential exposures. This significantly reduces the window of vulnerability; users aren’t left unknowingly using a breached password for long periods. It’s a security win and a compliance win; by leveraging Enzoic’s continuous monitoring, agencies fulfill CJIS’s call for emergency password changes when needed, without relying on users to report issues or on infrequent manual checks.
Another benefit of Enzoic’s approach is that it supports the extended password lifetime allowed under CJIS’s advanced standards. Since CJIS v6.0 permits up to 365-day password expiration (in contrast to the legacy 90-day cycle) as long as advanced controls like breach checks are in place, using Enzoic helps agencies confidently adopt this user-friendly policy. Enzoic ensures that a password can safely be used for a longer period provided it remains uncompromised. The moment it appears in a breach, Enzoic will catch it and the password can be reset. This marries security with usability, exactly the balance CJIS aimed for by introducing these controls.
For law enforcement and criminal justice organizations, meeting CJIS v6.0’s password-related requirements is significantly easier with Enzoic’s solutions. The policy’s focus on banning known compromised passwords and continuously monitoring credentials for exposure aligns perfectly with Enzoic’s capabilities. By outsourcing the heavy lifting of breach data collection and password vetting to Enzoic, agencies can ensure that no user sets a password that is known to be weak or compromised, and that any credentials that do become compromised are swiftly identified and changed. Enzoic automates compliance with the CJIS “banned password” standards: it maintains an up-to-date banned password list, enforces it during password changes, and keeps a watchful eye on your accounts for any sign of credential compromise.
Ready to Enhance Your CJIS Password Compliance?
Explore how Enzoic can automate credential security and simplify CJIS compliance.
Schedule a Demo Today
AUTHOR
Josh Parsons
Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.
Stop Compromised Credentials and start exploring for free – up to 20 users or 2000 API calls.