126 – Set a password regeneration mechanism

Summary

The system must provide a secure mechanism to regenerate a user's password.

Description

Passwords are identity assertion elements that can be easily lost or forgotten. Additionally, they can be leaked as a result of a user's actions or a breach in the system. Thus, systems should have a secure mechanism that allows users to generate a new password in either of these scenarios. Furthermore, none of these mechanisms should send a recovery secret in plain text nor should they reveal the current password.

Supported In

Advanced: True

References

• CWE-640. Weak password recovery mechanism for forgotten password
• OWASP10-A7. Identification and authentication failures
• MITRE-M1027. Password policies
• CMMC-IA_L2-3_5_9. Temporary passwords
• HITRUST-01_d. User password management
• IEC62443-CR-1_7. Strength of password-based authentication
• OSSTMM3-11_5_3. Data networks security (access verification) - Authentication
• WASC-W_49. Insufficient password recovery
• OWASPSCP-3. Authentication and password management
• CWE25-798. Use of hard-coded credentials
• C2M2-4_1_d. Establish identities and manage authentication
• ASVS-2_1_5. Password security
• ASVS-2_5_1. Credential recovery
• ASVS-2_6_3. Look-up secret verifier
• SANS25-18. Use of hard-coded credentials

Last updated

2024/02/05