2.5.3 Password credential recovery does not reveal the current password¶
Verify password credential recovery does not reveal the current password in any way. (C6)
| Level 1 | X |
| Level 2 | X |
| Level 3 | X |
| CWE | NIST |
|---|---|
| 640 | 5.1.1.2 |
General¶
Try the ‘password forgotten’ functionality if it exists and see if you get sent your own password back in cleartext. Note that one-time-passwords or tokens are okay, as long as they expire upon use.