Set a password regeneration mechanism
Summary
The system must provide a secure mechanism to regenerate a user's password.
Description
Passwords are identity assertion elements that can be easily lost or forgotten. Additionally, they can be leaked as a result of a user's actions or a breach in the system. Thus, systems should have a secure mechanism that allows users to generate a new password in either of these scenarios. Furthermore, none of these mechanisms should send a recovery secret in plain text nor should they reveal the current password.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References
- CWE™-640. Weak password recovery mechanism for forgotten password
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1027. Password policies
- CMMC-IA_L2-3_5_9. Temporary passwords
- HITRUST CSF-01_d. User password management
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-11_5_3. Data networks security (access verification) - Authentication
- WASC-W_49. Insufficient password recovery
- OWASP SCP-3. Authentication and password management
- CWE TOP 25-798. Use of hard-coded credentials
- C2M2-4_1_d. Establish identities and manage authentication
- OWASP ASVS-2_1_5. Password security
- OWASP ASVS-2_5_1. Credential recovery
- OWASP ASVS-2_6_3. Look-up secret verifier
- SANS 25-18. Use of hard-coded credentials
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.