Category:WASS User Managment

Deploy mechanisms to securely perform tasks related to user management.
From time-to-time, application users will need to change their password or reset a forgotten password. As noted in other requirements, login credentials are often the only access control mechanism a web application provides. Therefore the application should provide secure means to perform password resets and allowing a user reset a forgotten password.


 * 1) Change password
 * 2) Immediately before changing a password, users must be required to enter their old (existing) password
 * 3) New password must meet the existing requirments of this standard.
 * 4) The password change should be performed over a secure connection
 * 5) Forgotten passwords
 * 6) Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
 * 7) Old passwords should never be retrievable.
 * 8) When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car”
 * 9) After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
 * 10) Require the user to change their password should occur immediately after correctly answering the secret question(s)
 * 11) A notification of password change or forgotten password request should be sent to the user (via email or other communication channels such as SMS).
 * 12) Passwords should never be emailed or displayed.
 * 13) All forms that gather user credentials should have auto-complete turned off and must not be pre-populated with data.