Define lifespan for temporary passwords
Summary
Temporary passwords for first system login must have a maximum lifespan of 120 minutes.
Description
Temporary passwordsare often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Therefore, the system must discard them or make them unusable after 120 minutes.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🔴 |
References
- CWE™-263. Password aging with long expiration
- MITRE ATT&CK®-M1027. Password policies
- MITRE ATT&CK®-M1036. Account use policies
- CMMC-IA_L2-3_5_9. Temporary passwords
- HITRUST CSF-01_d. User password management
- FedRAMP-IA-5_1. Authenticator management - Password-based authentication
- ISA/IEC 62443-IAC-1_7. Strength of password-based authentication
- ISA/IEC 62443-CR-1_7-RE_2. Password lifetime restrictions for all users
- OWASP SCP-3. Authentication and password management
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- NIST 800-171-5_9. Allow temporary password use for system logons with an immediate change to a permanent password
- CWE TOP 25-287. Improper authentication
- OWASP ASVS-2_3_1. Authenticator lifecycle
- CASA-2_3_1. Authenticator Lifecycle
- SANS 25-13. Improper authentication
Vulnerabilities
- 401. Insecure service configuration - AKV Secret Expiration
- 403. Insecure service configuration - usesCleartextTraffic
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.