Set a password regeneration mechanism
Summary
The system must provide a secure mechanism to regenerate a user's password.
Description
Passwords are identity assertion elements that can be easily lost or forgotten. Additionally, they can be leaked as a result of a user's actions or a breach in the system. Thus, systems should have a secure mechanism that allows users to generate a new password in either of these scenarios. Furthermore, none of these mechanisms should send a recovery secret in plain text nor should they reveal the current password.
References
- CWE-640. Weak password recovery mechanism for forgotten password
- OWASP10-A7. Identification and authentication failures
- MITRE-M1027. Password policies
- CMMC-IA_L2-3_5_9. Temporary passwords
- HITRUST-01_d. User password management
- IEC62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-11_5_3. Data networks security (access verification) - Authentication
- WASC-W_49. Insufficient password recovery
- OWASPSCP-3. Authentication and password management
- CWE25-798. Use of hard-coded credentials
- C2M2-4_1_d. Establish identities and manage authentication
- ASVS-2_1_5. Password security
- ASVS-2_5_1. Credential recovery
- ASVS-2_6_3. Look-up secret verifier
- SANS25-18. Use of hard-coded credentials
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan