R126. Set a password regeneration mechanism

Requirement

The system must provide a secure mechanism to regenerate a user’s password.

Description

Passwords are identity assertion elements that can be easily lost or forgotten. Systems should have a secure mechanism that allows users to generate a new password when they have lost their previous one. Alternatively, passwords can be leaked as a result of a user’s actions or a breach in the system. Thus, there should also exist a secure mechanism that allows users to change their passwords when they require it. Furthermore, none of these mechanisms should send a recovery secret in plain text nor should they reveal the current password.

References

  1. CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  2. CWE-640: Weak Password Recovery Mechanism for Forgotten Password The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

  3. OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.5) Verify users can change their password.

  4. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.1) Verify that a system generated initial activation or recovery secret is not sent in clear text to the user.

  5. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.3) Verify password credential recovery does not reveal the current password in any way.

  6. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.6) Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism.

  7. PCI DSS v3.2.1 - Requirement 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy