Zero Data RetentionQuantum-Ready Entropy256-bit MinimumClient-Side OnlyPost-Quantum ReadyZero KnowledgeNIST SP 800-63BFIPS 140-3 AlignedNo Account NeededDoD CompliantZero Data RetentionQuantum-Ready Entropy256-bit MinimumClient-Side OnlyPost-Quantum ReadyZero KnowledgeNIST SP 800-63BFIPS 140-3 AlignedNo Account NeededDoD Compliant
SOC 29 min readUpdated February 2025

SOC 2 Password Requirements: CC6.1 Explained

What SOC 2 auditors actually check when it comes to password controls, and how to ensure CC6.1 compliance without over-engineering.

What SOC 2 actually is

SOC 2 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how service organisations handle customer data. Unlike prescriptive standards such as PCI-DSS, SOC 2 is principles-based — it describes outcomes rather than specific technical controls. This gives SaaS companies flexibility in implementation, but it also means that the audit is a judgment call by an independent CPA firm, not a checkbox exercise.

SOC 2 evaluates against five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security criterion is mandatory for all SOC 2 reports. Password controls fall primarily under the Security criterion, specifically under Common Criteria 6 (CC6): Logical and Physical Access Controls.

CC6.1 logical access controls

CC6.1 is the specific criterion that governs access controls to protected data and systems. The full text reads: "The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives."

The AICPA supplemental guidance for CC6.1 identifies several "points of focus" — areas auditors use to evaluate whether the criterion is met. The most relevant to password controls:

  • Identifies and authenticates users: The entity identifies and authenticates users before allowing access to protected information or systems
  • Restricts access based on business requirements: Access is granted to authorised users in a manner that meets business objectives — least privilege
  • Considers network segmentation: Access paths to sensitive systems are restricted
  • Manages points of access: Points of access to the system are identified and security controls are implemented at those points
  • Authenticates with the environment: Users are identified and authenticated for both local and remote access

What auditors look for

SOC 2 auditors evaluate evidence over a period — typically 6 or 12 months for a Type II report. For password controls, the evidence they want to see:

  • Written policy: A documented password policy that sets minimum standards. The policy must be approved, dated, and distributed to all relevant personnel.
  • Technical enforcement: Screen-shot or system configuration evidence showing that the technical controls enforce the policy — not just that the policy exists. A written policy saying "12-character minimum" that is not enforced at the system level is a finding.
  • Access review logs: Evidence that user access is reviewed periodically (typically quarterly). This includes who has access to what, and how that access was granted and removed.
  • MFA evidence: Configuration screenshots or access logs showing MFA is enabled for privileged accounts and, increasingly, for all accounts with access to sensitive systems.
  • Terminated user procedures: Evidence showing that access is revoked promptly when employees leave — usually expected within 24 hours of departure.
  • Vendor/third-party access: How external access is granted, monitored, and terminated.
Type I vs Type II: A SOC 2 Type I report evaluates controls at a point in time. Type II evaluates controls over a 6–12 month period. If you are going through SOC 2 Type II, you need to demonstrate that these controls were operational consistently — not just configured correctly on audit day.

Password controls that satisfy CC6.1

SOC 2 does not specify exact values for minimum length or complexity. Auditors evaluate whether controls are "reasonable and appropriate" for the sensitivity of the data being protected. Based on current audit practice and the AICPA guidance:

Minimum password length (standard accounts)≥ 12 characters
Minimum password length (admin/privileged)≥ 16 characters
Character complexityAt least 3 of 4 types
Breached credential checkRequired at creation and reset
Account lockout threshold5–10 failed attempts
Password historyLast 10–12 passwords
Session timeout≤ 30 minutes inactivity

These represent consensus auditor expectations. A SaaS company storing sensitive customer data whose controls fall below these thresholds is likely to receive a qualified opinion or a management letter finding.

Note that SOC 2 auditors are frequently more demanding than HIPAA or ISO 27001 auditors on the privileged access side — the 16-character minimum for admin accounts is genuinely expected, not just recommended.

MFA expectations for SaaS companies

MFA has moved from "recommended" to effectively required in SOC 2 audits. The specific expectations depend on the auditor and the scope of the audit, but the industry baseline as of 2025:

  • Required without exception: MFA for all production system access — cloud console, deployment pipelines, database access, secrets management
  • Required without exception: MFA for all VPN and remote access
  • Required for privileged users: MFA for all administrative accounts in all environments
  • Expected: MFA for all employee access to internal systems (SaaS tools, communication platforms, code repositories)
  • Documentation: A written MFA policy and evidence of enforcement (IdP configuration screenshots, SSO configuration logs)

The acceptable MFA methods for SOC 2 purposes follow NIST AAL2 guidance: TOTP authenticator apps (Google Authenticator, Authy, 1Password), push notifications (Duo, Okta), or hardware keys (YubiKey). SMS OTP is generally not challenged by auditors but increasingly noted as a risk in management letters.

Hardware key recommendation: For admin and production access, FIDO2 hardware keys (YubiKey 5 series) provide phishing-resistant authentication that satisfies NIST AAL3. They eliminate the push fatigue attack vector and are increasingly expected for privileged access in security-conscious SOC 2 audits. YubiKey 5 series →

Documentation requirements

SOC 2 is a documentation-heavy audit. For password and access controls specifically, you need:

  1. Information Security Policy: Top-level policy that establishes the security program and delegates to specific sub-policies
  2. Access Control Policy: Minimum password standards, MFA requirements, session management, account lockout
  3. User Access Management Procedure: How access is granted, modified, and revoked — including timelines for each
  4. Privileged Access Management Procedure: How admin/privileged credentials are managed, rotated, and audited
  5. Access Review Evidence: Completed periodic access reviews — typically quarterly, with sign-off from the reviewer
  6. Onboarding/Offboarding Logs: Evidence showing access was granted and revoked in accordance with policy timelines

All policy documents should be version-controlled with an effective date and the approver identified. Auditors look for policies that are actively maintained, not last updated two years ago.

Privileged access and admin accounts

Privileged access management is one of the most scrutinised areas in SOC 2 audits. The standard expectation:

  • Admin accounts should be separate from standard user accounts — no dual-use (same account for daily email and production console access)
  • Admin credentials must use unique, randomly generated passwords of 16+ characters
  • Admin accounts require hardware MFA (YubiKey or equivalent), not just TOTP
  • Shared admin credentials are a finding — each admin needs an individually attributed account
  • Break-glass accounts (emergency access) must be documented, secured, and audited on every use
  • Admin access must be reviewed at least quarterly, with role changes triggering immediate review
  • Credentials in source code, configuration files, or CI/CD pipelines are findings — use secrets management (HashiCorp Vault, AWS Secrets Manager, etc.)

SOC 2 password checklist

  1. Written Access Control Policy exists, is version-controlled, and was reviewed within the past 12 months
  2. Minimum 12-character password length technically enforced for standard accounts
  3. Minimum 16-character password length technically enforced for admin and privileged accounts
  4. MFA required and enforced for all admin and production system access
  5. MFA required for all VPN and remote access
  6. Account lockout after 5–10 failed attempts, configured in IdP
  7. Session timeout ≤ 30 minutes configured for sensitive systems
  8. Quarterly access reviews completed and documented, with evidence
  9. Terminated user offboarding process documented, with completion within 24 hours
  10. No shared admin credentials — each admin has individually attributed account
  11. No credentials in source code or configuration files — secrets management system in use
  12. Break-glass accounts documented, secured, and audit-logged
  13. Vendor/third-party access documented with defined scope and expiry
PassGeni's SOC 2 preset generates 16-character minimum credentials with full character set — matching the privileged account standard that auditors expect to see. Use it when onboarding admin accounts or rotating shared service credentials before an audit window.

Frequently asked questions

What does SOC 2 CC6.1 require for passwords?

CC6.1 requires logical access controls, including strong authentication. Auditors typically expect minimum 16 characters, complexity, MFA for privileged access, and a documented policy.

What does SOC 2 CC6.1 require for passwords?

CC6.1 requires logical access security including strong authentication controls. Auditors typically expect: minimum 16 characters, complexity requirements, MFA for privileged access, documented password policy, and breach-aware credential management.

What is the minimum password length for SOC 2?

SOC 2 doesn't specify an exact minimum — it requires controls 'appropriate to the risk.' In practice, auditors expect 16+ characters for CC6.1 compliance, especially for admin accounts. PassGeni's SOC 2 preset enforces this automatically.

Is MFA required for SOC 2 Type II certification?

MFA is not explicitly required by the SOC 2 Trust Services Criteria, but its absence is increasingly cited by auditors as a control gap under CC6.1. Most organisations pursuing SOC 2 Type II implement MFA for all internal systems as a matter of course.

How does SOC 2 define 'appropriate' password security?

SOC 2 auditors evaluate whether controls are appropriate to the entity's risk profile. For a SaaS company handling sensitive customer data, appropriate typically means 16+ character passwords, MFA, a written policy, regular access reviews, and breach credential monitoring.

Does SOC 2 require a written password policy?

Yes — CC1.4 requires documented policies and CC6.1 requires logical access controls to be formalised. Your password policy must be documented, approved, communicated to all relevant personnel, and reviewed periodically. Use PassGeni's Policy Generator for a SOC 2-aligned template.

How often should passwords be rotated for SOC 2?

SOC 2 doesn't mandate rotation frequency. Following NIST 800-63B (industry standard), rotate only upon suspected compromise. What auditors focus on instead: MFA, strong generation, access reviews, and breach monitoring — not rotation frequency.

Can I use PassGeni to demonstrate SOC 2 compliance?

PassGeni's SOC 2 preset enforces the password strength controls auditors expect under CC6.1. The Policy Generator creates a written policy you can include in your SOC 2 evidence package. For API-driven onboarding flows, the Team API provides programmatic compliance enforcement with audit trail capability.

What is the difference between SOC 2 Type I and Type II for passwords?

SOC 2 Type I assesses whether controls are suitably designed at a point in time. Type II assesses whether they operated effectively over a period (typically 6-12 months). For passwords, Type II requires evidence that your password controls were consistently applied — logs, policy adherence records, and access reviews.

Do subprocessors need SOC 2 compliant passwords?

CC9.2 requires organisations to assess vendor controls. If your subprocessors access your systems or customer data, their password and authentication practices are in scope. Request their SOC 2 reports or equivalent evidence. Ensure their API access uses compliant credentials.

Related guides
← All guidesGenerate password →