8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects 8.5.2 Verify user identity before performing password resets 8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use 8.5.4 Immediately revoke access for any terminated users 8.5.5 Remove inactive user accounts at least every 90 days 8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed 8.5.7 Communicate password procedures and policies to all users who have access to cardholder data 8.5.8 Do not use group, shared, or generic accounts and passwords 8.5.9 Change user passwords at least every 90 days 8.5.10 Require a minimum password length of at least seven characters 8.5.11 Use passwords containing both numeric and alphabetic characters 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts 8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users