131 – Deny multiple password changing attempts

Summary

Passwords are not allowed to be changed more than once in the same day.

Description

By limiting the frequency of password changes to once per day is implemented as a security policy that helps to balance usability and security considerations.

Supported In

Advanced: True

References

• CWE-620. Unverified password change
• CWE-640. Weak password recovery mechanism for forgotten password
• OWASP10-A7. Identification and authentication failures
• MITRE-M1027. Password policies
• MITRE-M1036. Account use policies
• CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
• CMMC-IA_L2-3_5_7. Password complexity
• HITRUST-01_d. User password management
• FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
• IEC62443-IAC-1_11. Unsuccessful login attempts
• OWASPSCP-3. Authentication and password management
• SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
• ASVS-2_6_1. Look-up secret verifier
• OWASPAPI-API8. Security Misconfiguration
• CASA-2_6_1. Look-up Secret Verifier

Last updated

2024/01/26