21 CFR Part 11 Password Requirements

21 CFR Part 11 Password Requirements [Explained]

by | May 12, 2023 | 21 CFR Part 11

The 21 CFR Part 11 is part of a regulation enforced by the Food and Drug Administration (FDA) that outlines the requirements for electronic records and electronic signatures.

These requirements are relevant for Life Science companies that operate in the United States market, and that chose to use electronic records and signatures in place of paper records and handwritten signatures.

One of the specific requirements outlined in 21 CFR Part 11 is the need for passwords.

These password requirements aim to ensure that access to electronic records and using digital signatures is limited to only authorized individuals.

This article will discuss 21 CFR Part 11 password requirements, provide best practices for password creation and management, and explain how SimplerQMS complies with these requirements.

SimplerQMS provides an eQMS software solution specifically designed for Life Science companies and ensures full compliance with 21 CFR Part 11. Schedule a personalized demo of SimplerQMS and talk to our experts to learn more about our solution.

Learn about 21 CFR Part 11 password requirements by exploring these topics:

What are 21 CFR Part 11 Password Requirements?

The FDA 21 CFR Part 11 specifies password security and management requirements in electronic record and signature systems.

Compliance with these requirements is essential for Life Science companies operating in the US market and opting to use electronic records and digital signatures. The FDA requires computerized systems to maintain accurate and secure electronic records.

Major noncompliance with FDA requirements can result in significant financial penalties, warning letters, product recalls, and damage to a company’s reputation.

The following sections will outline the password requirements according to 21 CFR Part 11.


The information presented in this article is for educational purposes only and does not serve as official regulatory guidance. It is recommended that companies refer to 21 CFR Part 11 for official information.

Implement Unique Passwords (Section 11.300(a))

The system should have controls to ensure unique password and identification code combinations for authorized users, as outlined in section 21 CFR 11.300(a).

If two individuals were to share the same identification code and password, it would be impossible to determine who executed a digital signature or changed an electronic record. This could lead to inaccuracies, errors, and potential regulatory violations.

Control measures for having unique passwords might include using encryption and implementing password policies that enforce complex passwords.

Prevent Password Aging (Section 11.300(b))

Section 21 CFR 11.300(b) states that it is important to ensure that identification codes and passwords are periodically checked, recalled, or revised to maintain the security and integrity of electronic records and signatures.

These checks help ensure that passwords and identification codes are still valid and have not been compromised in any way.

One way to achieve this is by requiring employees to change their passwords after a certain period, for instance, every 90 days. Frequently changing passwords reduces the risk of unauthorized access to electronic records by people who obtain the password illegally, like hacking.

Additionally, procedures should be in place to immediately deactivate or update identification codes and passwords if an employee leaves the company or suspects they may have been compromised.

Ensure Loss Management Procedures (Section 11.300(c))

Section 21 CFR 11.300(c) states that loss management procedures should be followed to deauthorize any device that keeps or generates identification codes or password information that has been lost, stolen, or potentially compromised.

Once a device is no longer authorized, the system should be able to issue password replacements using suitable and rigorous controls.

It is important to note that loss management procedures should be reviewed and updated regularly to ensure their effectiveness.

In addition, all employees should be trained on the proper procedures for reporting lost or stolen passwords to reduce the risk of unauthorized access.

Avoid Unauthorized Use of Passwords (Section 11.300(d))

The system should have transaction safeguards in place to prevent the unauthorized use of passwords and identification codes as per section 21 CFR 11.300(d).

Transaction safeguards may include various security measures, such as encryption, access controls, multi-factor authentication (MFA), and other security measures that protect data during transmission and storage.

It is also important to promptly detect and report unauthorized system access attempts to the security unit.

Perform Password Device Testing (Section 11.300(e))

Section 21 CFR 11.300(e) specifies that testing devices containing identification codes or password information is required to ensure their proper functioning and detect any potential alterations.

This includes devices such as tokens and cards that are used to generate or store identification codes and passwords.

Initial testing is important to ensure the device is functioning properly before use. Periodic testing is also necessary to ensure that the device continues functioning correctly and has not been compromised since the initial testing.

While this article only discusses the password requirements specified in 21 CFR Part 11, it is worth noting that several other requirements are outlined in this part of the regulation.

We suggest reading our 21 CFR Part 11 compliance article if you want to further your knowledge on the subject.

Best Practices for Password Creation and Management

Following best practices for creating and managing passwords is essential to maintaining the security and integrity of electronic records and digital signatures.

Here are some examples of best practices to improve password security:

Create Complex Passwords

It is important to implement rules for strong and complex passwords. Additionally, prevent multiple people from using the same login information by ensuring that each person has at least two distinct identification components such as an identification code and password.

Establish a password procedure that requires users to:

  • Create complex and unique passwords with a mix of uppercase and lowercase letters, numbers, and special characters.
  • Avoid easily guessable passwords, such as common words, sequential numbers, or easily identifiable information.
  • Have a minimum password length, typically at least eight characters or more.

For instance, SimplerQMS software uses Microsoft Entra ID (previously known as Microsoft Azure Active Directory), and one of its many uses is to ensure strong and secure passwords.

The system validates and manages the uniqueness of identification codes and passwords and ensures that no two individuals can have the same combination of code and password to access the system.

Verify Your Identity in SimplerQMS
Screenshot of a prompt requiring to verify user identity to log in to SimplerQMS.

Periodically Update Passwords

You should regularly check and update identification codes and passwords. This is important to prevent password aging and maintain security.

One way to ensure this is to establish a procedure that requires users to change their passwords periodically. This measure helps ensure that outdated passwords are promptly updated, improving overall security.

Using SimplerQMS, for example, the system has procedures for password expiry in place. Passwords are automatically required to be updated every three months. Furthermore, the past 42 passwords are saved and cannot be reused.

Handle Lost and Stolen Passwords

It is important to have a plan of action if the devices that store or generate identification codes and passwords are lost or compromised.

A practical way to do this is by asking users to report any theft or loss of their authentication credentials as soon as possible and quickly disabling any lost device. When issuing replacements, strict controls should be in place to prevent unauthorized access and keep the new devices secure.

For example, SimplerQMS connects with Microsoft Entra ID to centrally control access to the system and applications, improving visibility and control of loss management procedures. Via Microsoft Entra ID, it is possible to deauthorize users and reset passwords if necessary.

Use Transaction Safeguards

Implement transaction safeguards to prevent unauthorized use of identification codes and passwords.

These security measures might include:

  • Account lockout policies, with a limited number of failed login attempts.
  • Multi-factor authentication (MFA) for an additional layer of security.
  • An automated system that detects failed login attempts or unusual login patterns, such as login from unfamiliar locations.
  • Detect and report any unauthorized attempts to use identification codes or passwords.
  • Antivirus software scans files to detect and remove any malicious code, such as viruses.

For example, you could automatically lock computer screens with a password-protected screen saver after 10 minutes of inactivity to prevent unauthorized access and data manipulation.

And/or employ multi-factor authentication (MFA) to further secure access to our system, requiring users to provide supplementary verification in addition to their login credentials.

Test and Monitor Devices

Conduct a periodic test of devices that generate login credentials to ensure they work as intended.

Provide Training to Employees

Providing regular training to educate employees about password security can help ensure that users understand and follow relevant requirements.

A practical approach is to instruct on how to use the electronic records and electronic signature system, how to create strong passwords, and best practices for password management.

For instance, using Training Management capabilities in SimplerQMS, you could create learning rules and attach 21 CFR Part 11 related procedures and documents for learning. Automatically assign training to relevant personnel, send notifications, and reminders, and monitor training status.

As a part of the training, you could also create quizzes to assess training effectiveness.

Creating Quiz in SimplerQMS using a Metadata Card
A quiz in the SimplerQMS system demonstrates you can personalize the department, number of questions, and passing criteria.

How SimplerQMS Meets 21 CFR Part 11 Password Requirements

SimplerQMS offers a comprehensive Life Science QMS software solution that meets the requirements of 21 CFR Part 11.

SimplerQMS complies with the password requirements outlined in 21 CFR Part 11 through:

  • Managing identification codes and passwords and preventing duplicate identification codes and password combinations.
  • Connects to Microsoft Entra ID and enforces password strength and expiration rules.
  • Saving the user’s last 42 passwords and prohibiting their reuse.
  • Automatically expiring passwords every three months and requiring their update.
  • Implementing procedures for complex password creation to enhance password security.
  • Preventing unauthorized access by anyone other than the authorized user.
  • Performing testing and validation processes to ensure the system performs as intended.
Azure AD Single Sign-On

In addition to a secure and 21 CFR Part 11 compliant documentation system, SimplerQMS provides all Life Science QMS modules. Besides document control and management, we offer modules for change, non-conformance and deviation, CAPA, training, supplier management, and more.

If you are unsure of the advantages of having SimplerQMS consider downloading our eQMS Business Case template.

By utilizing this resource (with pre-configured spreadsheet and presentation slides), you can identify the value an eQMS can bring to your company. Then present your findings to the management or board.

Download the template below to make a compelling case for implementing an eQMS in your company.

Downloadable eQMS Business Case Template Banner

Final Thoughts

Essential for Life Science companies operating in the US market, 21 CFR Part 11 is part of FDA regulation that outlines requirements for trustworthy and reliable electronic records and digital signatures.

One of the requirements outlined in 21 CFR Part 11 is the use of passwords to limit system access to electronic records and digital signatures to authorized personnel only.

Many companies have adopted 21 CFR Part 11 compliant electronic Quality Management Systems (eQMS) to manage processes more efficiently and ensure compliance.

SimplerQMS offers a fully 21 CFR Part 11 compliant eQMS software solution specifically designed for Life Science companies.

Book a personalized demo of SimplerQMS to see it in action and talk to our system experts about how we can help you streamline quality and compliance processes.

eQMS Business Case Template

Illustration of eQMS Business Case Template