R138. Define lifespan for temporary passwords

Requirement

Temporary passwords for first system login must have a maximum lifespan of 120 minutes.

Description

Temporary passwords are often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Therefore, the system must discard them or make them unusable after 120 minutes.

Referencias

  1. CWE-263: Password Aging with Long Expiration. Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.

  2. OWASP-ASVS v4.0.1 V2.3 Authenticator Lifecycle Requirements.(2.3.1) Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy