Category:WASS User Managment

http://www.textmoncnaa.com

Deploy mechanisms to securely perform tasks related to user management.
From time-to-time, application users will need to change their password or reset a forgotten password. As noted in other requirements, login credentials are often the only access control mechanism a web application provides. Therefore the application should provide secure means to perform password resets and allowing a user reset a forgotten password.


 * 1) Change password
 * 2) Immediately before changing a password, users must be required to enter their old (existing) password
 * 3) New password must meet the existing requirments of this standard.
 * 4) The password change should be performed over a secure connection
 * 5) Forgotten passwords
 * 6) Implement a âsecretâ question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
 * 7) Old passwords should never be retrievable.
 * 8) When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a âpredefinedâ or âlimitedâ choice, such as âwhat is your favorite colorâ or âwhat was your first carâ
 * 9) After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
 * 10) Require the user to change their password should occur immediately after correctly answering the secret question(s)
 * 11) A notification of password change or forgotten password request should be sent to the user (via email or other communication channels such as SMS).
 * 12) Passwords should never be emailed or displayed.
 * 13) All forms that gather user credentials should have auto-complete turned off and must not be pre-populated with data.