This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Category:WASS User Managment
From OWASP
From time-to-time, application users will need to change their password or reset a forgotten password. As noted in other requirements, login credentials are often the only access control mechanism a web application provides. Therefore the application should provide secure means to perform password resets and allowing a user reset a forgotten password.
- Change password
- Immediately before changing a password, users must be required to enter their old (existing) password
- New password must meet the existing requirments of this standard.
- The password change should be performed over a secure connection
- Forgotten passwords
- Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
- Old passwords should never be retrievable.
- When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car”
- After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
- Require the user to change their password should occur immediately after correctly answering the secret question(s)
- A notification of password change or forgotten password request should be sent to the user (via email or other communication channels such as SMS).
- Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
- Passwords should never be emailed or displayed.
- All forms that gather user credentials should have auto-complete turned off and must not be pre-populated with data.
This category currently contains no pages or media.