User password MUST be compliant to the password policy at both registration as well as
password change and password reset functions.
As long as not specified differently by the password policy, the following minimum requirements for
user passwords MUST apply:
Length >= 8 characters,
consists of characters, digits and special characters,
not be identical with the username,
be masked on all HTML password fields,
not be logged or cached,
encrypted when transferred over insecure channels,
not transmitted in URLs and
stored as a salted secure hash, ideally with key stretching. This SHOULD be
implemented with bcrypt, scrypt, PBKDF2 or Argon2 algorithm.
Initial user passwords MUST be changed by the user at first login.
Standard passwords (= set by the vendor) MUST NOT be used and replaced by strong
Password change functions:
Users MUST be able to change their passwords.
Users SHOULD be indicated the strength of the current password choice when changing their passwords (using a password strength functions).
Users MUST confirm a new password with their current ones.
Users SHOULD be informed when their password has changed (e.g. via e-mail notification).
Password forgot functions:
MUST implement the same level of security protections as the user authentication function (e.g. anti-automation).
MUST be authorized by the user with the same method that is used as second factor or (in case no second factor is used) for user identification (e.g. e-mail address). Ideally, by using a One Time Token (OTT) with limited validity sent as a second factor (e.g. to the registered user e-mail address or mobile phone).
MUST not affect the state of the user profile before password reset is completed.