Establish safe recovery
Summary
The system must guarantee that the person performing the password recovery or reset process is actually the owner.
Description
Systems must have mechanisms that enable users to update and recover their passwords while guaranteeing the authenticity of the request. In the case of a password update, the system must request both the new and the old passwords. If the user wants to recover a lost or forgotten password, the system must ascertain the users ownership of the corresponding account.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CWEâ„¢-257. Storing passwords in a recoverable format
- CWEâ„¢-345. Insufficient verification of data authenticity
- CWEâ„¢-620. Unverified password change
- CWEâ„¢-640. Weak password recovery mechanism for forgotten password
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP TOP 10-A8. Software and data integrity failures
- PDPO-S1_4. Security of personal data
- HITRUST CSF-01_d. User password management
- WASSEC-6_2_1_3. Authentication - Weak password recovery validation
- WASC-W_49. Insufficient password recovery
- MVSP-2_4. Application design controls - Password policy
- OWASP SCP-3. Authentication and password management
- OWASP ASVS-2_5_3. Credential recovery
- OWASP ASVS-2_5_6. Credential recovery
- SIG Lite-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- SIG Core-H_3_7. Access control
- OWASP ASVS-2_6_3. Look-up secret verifier
- NIST CSF-RC_RP-01. The recovery portion of the incident response plan is executed once initiated from the incident response process
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.