Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

  1. User password MUST be compliant to the password policy at both registration as well as
    password change and password reset functions.

  2. As long as not specified differently by the password policy, the following minimum requirements for
    user passwords MUST apply:

    1. Length >= 8 characters,

    2. consists of characters, digits and special characters,

    3. not be identical with the username,

    4. be masked on all HTML password fields,

    5. not be logged or cached,

    6. encrypted when transferred over insecure channels,

    7. not transmitted in URLs and

    8. stored as a salted secure hash, ideally with key stretching. This SHOULD be
      implemented with bcrypt, scrypt or PBKDF2 algorithm.

  3. Initial user passwords MUST be changed by the user at first login.

  4. Standard passwords (= set by the vendor) MUST NOT be used and replaced by strong
    individual passwords.

  • No labels