Versions Compared

Old Version 5

changes.mady.by.user Matthias Rohr

Saved on

compared with

New Version 6

changes.mady.by.user Matthias Rohr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

  1. User password MUST be compliant to the password policy at both registration as well as
    password change and password reset functions.

  2. As long as not specified differently by the password policy, the following minimum requirements for
    user passwords MUST apply:

    1. Length >= 8 characters,

    2. consists of characters, digits and special characters,

    3. not be identical with the username,

    4. be masked on all HTML password fields,

    5. not be logged or cached,

    6. encrypted when transferred over insecure channels,

    7. not transmitted in URLs and

    8. stored as a salted secure hash, ideally with key stretching. This SHOULD be
      implemented with bcrypt, scrypt or PBKDF2 algorithm.

  3. Initial user passwords MUST be changed by the user at first login.

  4. Standard passwords (= set by the vendor) MUST NOT be used and replaced by strong
    individual passwords.