Establish safe recovery
Summary
The system must guarantee that the person performing the password recovery or reset process is actually the owner.
Description
Systems must have mechanisms that enable users to update and recover their passwords while guaranteeing the authenticity of the request. In the case of a password update, the system must request both the new and the old passwords. If the user wants to recover a lost or forgotten password, the system must ascertain the users ownership of the corresponding account.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CWE™-257. Storing passwords in a recoverable format
- CWE™-345. Insufficient verification of data authenticity
- CWE™-620. Unverified password change
- CWE™-640. Weak password recovery mechanism for forgotten password
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP TOP 10-A8. Software and data integrity failures
- NIST Framework-RC_RP-1. Recovery plan is executed during or after a cybersecurity incident
- PDPO-S1_4. Security of personal data
- HITRUST CSF-01_d. User password management
- WASSEC-6_2_1_3. Authentication - Weak password recovery validation
- WASC-W_49. Insufficient password recovery
- MVSP-2_4. Application design controls - Password policy
- OWASP SCP-3. Authentication and password management
- OWASP ASVS-2_5_3. Credential recovery
- OWASP ASVS-2_5_6. Credential recovery
- SIG Lite-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- SIG Core-H_3_7. Access control
- OWASP ASVS-2_6_3. Look-up secret verifier
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.