Define lifespan for temporary passwords
Summary
Temporary passwords for first system login must have a maximum lifespan of 120 minutes.
Description
Temporary passwordsare often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Therefore, the system must discard them or make them unusable after 120 minutes.
References
- CWE-263. Password aging with long expiration
- MITRE-M1027. Password policies
- MITRE-M1036. Account use policies
- CMMC-IA_L2-3_5_9. Temporary passwords
- HITRUST-01_d. User password management
- FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
- IEC62443-IAC-1_7. Strength of password-based authentication
- IEC62443-CR-1_7-RE_2. Password lifetime restrictions for all users
- OWASPSCP-3. Authentication and password management
- NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- NIST800171-5_9. Allow temporary password use for system logons with an immediate change to a permanent password
- CWE25-287. Improper authentication
- ASVS-2_3_1. Authenticator lifecycle
- CASA-2_3_1. Authenticator Lifecycle
- SANS25-13. Improper authentication
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan