R136. Force temporary password change


The system must force the change of automatically generated temporary passwords after their first use.


Temporary passwords are often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Therefore, users should be forced to change them after their first use.


  1. CWE-263: Password Aging with Long Expiration. Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.

  2. NIST 800-63B 6.1.1 Binding at Enrollment Temporary secrets SHALL NOT be reused.

  3. OWASP-ASVS v4.0.1 V2.3 Authenticator Lifecycle Requirements.(2.3.1) Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.

  4. PCI DSS v3.2.1 - Requirement 8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.

Service status - Terms of Use - Privacy Policy - Cookie Policy

Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.