Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R126. Set a password regeneration mechanism

This document contains the details of the security requirements related to the definition and management of access credentials in the organization. This requirement establishes the importance of defining a mechanism to securely regenerate user passwords.


The system must provide a secure mechanism to regenerate a user’s password.


Passwords are identity assertion elements that can be easily lost or forgotten. Systems should have a secure mechanism that allows users to generate a new password when they have lost their previous one. Alternatively, passwords can be leaked as a result of a user’s actions or a breach in the system. Thus, there should also exist a secure mechanism that allows users to change their passwords when they require it. Furthermore, none of these mechanisms should send a recovery secret in plain text nor should they reveal the current password.


  1. CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  2. CWE-640: Weak Password Recovery Mechanism for Forgotten Password The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

  3. OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.5) Verify users can change their password.

  4. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.1) Verify that a system generated initial activation or recovery secret is not sent in clear text to the user.

  5. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.3) Verify password credential recovery does not reveal the current password in any way.

  6. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.6) Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism.

Service status - Terms of Use