The system must provide a secure mechanism to regenerate a user's password.
Passwords are identity assertion elements that can be easily lost or forgotten. Additionally, they can be leaked as a result of a user's actions or a breach in the system. Thus, systems should have a secure mechanism that allows users to generate a new password in either of these scenarios. Furthermore, none of these mechanisms should send a recovery secret in plain text nor should they reveal the current password.
CWE-521: Weak Password Requirements: The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
CWE-640: Weak Password Recovery Mechanism for Forgotten Password: The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.5): Verify users can change their password.
OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.1): Verify that a system generated initial activation or recovery secret is not sent in clear text to the user.
OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.3): Verify password credential recovery does not reveal the current password in any way.
OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.6): Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism.
PCI DSS v3.2.1 - Requirement 8.2.5: Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.