138 – Define lifespan for temporary passwords

Summary

Temporary passwords for first system login must have a maximum lifespan of 120 minutes.

Description

Temporary passwordsare often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Therefore, the system must discard them or make them unusable after 120 minutes.

Supported In

Essential: True

Advanced: True

References

• CWE-263. Password aging with long expiration
• MITRE-M1027. Password policies
• MITRE-M1036. Account use policies
• CMMC-IA_L2-3_5_9. Temporary passwords
• HITRUST-01_d. User password management
• FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
• IEC62443-IAC-1_7. Strength of password-based authentication
• IEC62443-CR-1_7-RE_2. Password lifetime restrictions for all users
• OWASPSCP-3. Authentication and password management
• NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
• NIST800171-5_9. Allow temporary password use for system logons with an immediate change to a permanent password
• CWE25-287. Improper authentication
• ASVS-2_3_1. Authenticator lifecycle
• CASA-2_3_1. Authenticator Lifecycle
• SANS25-13. Improper authentication

Weaknesses

• 401 – Insecure service configuration - AKV Secret Expiration
• 403 – Insecure service configuration - usesCleartextTraffic

Last updated

2024/02/05