R137. Change temporary passwords of third parties


The system must force the change of temporary passwords, which are generated by a third party, after their first use.


Temporary passwords are often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Furthermore, there is no control over who has access to the secret besides the third party. Therefore, the passwords should be changed after their first use.


  1. CWE-263: Password Aging with Long Expiration. Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.

  2. NIST 800-63B 6.1.1 Binding at Enrollment Temporary secrets SHALL NOT be reused.

  3. OWASP-ASVS v4.0.1 V2.3 Authenticator Lifecycle Requirements.(2.3.1) Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.

  4. PCI DSS v3.2.1 - Requirement 8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.

Service status - Terms of Use - Privacy Policy - Cookie Policy

Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.