OWASP Annotated Application Security Verification Standard
latest
Browse by chapter:
1 Architecture, Design and Threat Modeling
2 Authentication
2.1 Password Security Requirements
2.1.1 Passwords are at least 12 characters in length
2.1.2 Passwords can be 64 characters or longer
2.1.3 Passwords can contain spaces
2.1.4 Unicode characters are permitted in passwords
2.1.5 Users can change their password
2.1.6 Password change requires current and new password
2.1.7 Password are checked against breached passwords
2.1.8 A password strength meter is provided
2.1.9 No password character limitations
2.1.10 No periodic credential rotation or password history requirements
2.1.11 “paste” functionality, passwords helpers and password managers are permitted
2.1.12 Temporarily viewable passwords
2.2 General Authenticator Requirements
2.3 Authenticator Lifecycle Requirements
2.4 Credential Storage Requirements
2.5 Credential Recovery Requirements
2.6 Look-up Secret Verifier Requirements
2.7 Out of Band Verifier Requirements
2.8 Single or Multi Factor One Time Verifier Requirements
2.9 Cryptographic Software and Devices Verifier Requirements
2.10 Service Authentication Requirements
3 Session Management
4 Access Control
5 Validation, Sanitization and Encoding
6 Stored Cryptography
7 Error Handling and Logging
8 Data Protection
9 Communications
10 Malicious Code
11 Business Logic
12 Files and Resources
13 API and Web Service
14 Configuration
OWASP Annotated Application Security Verification Standard
Docs
»
2 Authentication
»
2.1 Password Security Requirements
»
2.1.5 Users can change their password
2.1.5 Users can change their password
¶
Verify users can change their password.
Level 1
X
Level 2
X
Level 3
X
CWE
NIST
620
5.1.1.2