Temporary passwords for first system login must have a maximum lifespan of 120 minutes.
Temporary passwords are often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Therefore, the system must discard them or make them unusable after 120 minutes.
CWE-263: Password Aging with Long Expiration. Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.
OWASP-ASVS v4.0.1 V2.3 Authenticator Lifecycle Requirements.(2.3.1) Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.
Start with Fluid Attacks
We are a proud corporate member of the OWASP Foundation