The system must provide a secure mechanism to regenerate a user's password.
Passwords are identity assertion elements that can be easily lost or forgotten. Additionally, they can be leaked as a result of a user's actions or a breach in the system. Thus, systems should have a secure mechanism that allows users to generate a new password in either of these scenarios. Furthermore, none of these mechanisms should send a recovery secret in plain text nor should they reveal the current password.
This requirement is verified in following services:
- CWE-640. Weak password recovery mechanism for forgotten password
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1027. Password policies
- CMMC-IA_L2-3_5_9. Temporary passwords
- HITRUST CSF-01_d. User password management
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-11_5_3. Data networks security (access verification) - Authentication
- WASC-W_49. Insufficient password recovery
- OWASP SCP-3. Authentication and password management
- CWE TOP 25-798. Use of hard-coded credentials
- C2M2-4_1_d. Establish identities and manage authentication