Application Security Handbook

Application Security Handbook
Web Application

Powered by GitBook

On this page

Web Application

Authentication

Default Passwords

PreviousMulti-factor Authentication NextPassword Change

Last updated 1 year ago

Overview

The page contains recommendations for working with default passwords.

General

Avoid setting default passwords.
If you are setting "default" passwords:
- Generate passwords using a cryptographically strong random generator, see the Cryptography: Random Generators page.
- Default passwords must follow the password policy, see the Authentication: Password Policy page.
- Default passwords must expire after a short period (for example, 7 days).
- A user must set a new password after the first authentication with a default password.
- Prohibit setting a default password as a long-term one.

Overview
General