238 – Establish safe recovery

Summary

The system must guarantee that the person performing the password recovery or reset process is actually the owner.

Description

Systems must have mechanisms that enable users to update and recover their passwords while guaranteeing the authenticity of the request. In the case of a password update, the system must request both the new and the old passwords. If the user wants to recover a lost or forgotten password, the system must ascertain the users ownership of the corresponding account.

Supported In

Advanced: True

References

• CWE-257. Storing passwords in a recoverable format
• CWE-345. Insufficient verification of data authenticity
• CWE-620. Unverified password change
• CWE-640. Weak password recovery mechanism for forgotten password
• OWASP10-A7. Identification and authentication failures
• OWASP10-A8. Software and data integrity failures
• PDPO-S1_4. Security of personal data
• HITRUST-01_d. User password management
• WASSEC-6_2_1_3. Authentication - Weak password recovery validation
• WASC-W_49. Insufficient password recovery
• MVSP-2_4. Application design controls - Password policy
• OWASPSCP-3. Authentication and password management
• ASVS-2_5_3. Credential recovery
• ASVS-2_5_6. Credential recovery
• SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
• SIG-H_3_7. Access control
• ASVS-2_6_3. Look-up secret verifier
• NIST-RC_RP-01. The recovery portion of the incident response plan is executed once initiated from the incident response process

Weaknesses

• 417 – Account Takeover
• 420 – Password reset poisoning
• 033 – Password change without identity check

Last updated

2024/03/05