User password MUST be compliant to the password policy at both registration as well as
password change and password reset functions.
As long as not specified differently by the password policy, the following minimum requirements for
user passwords MUST apply:
Length >= 8 characters,
consists of characters, digits and special characters,
not be identical with the username,
be masked on all HTML password fields,
not be logged or cached,
encrypted when transferred over insecure channels,
not transmitted in URLs and
stored as a salted secure hash, ideally with key stretching. This SHOULD be
implemented with bcrypt, scrypt or PBKDF2 algorithm.
Initial user passwords MUST be changed by the user at first login.
Standard passwords (= set by the vendor) MUST NOT be used and replaced by strong