# Default Passwords

## Overview

The page contains recommendations for working with default passwords.

## General

<div align="left"><img src="https://1795604890-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaH8j4W1MtabOUlUc8Trn%2Fuploads%2Fgit-blob-b41291c03c4de901e1f0faa235c5ad68838b2947%2Ftype-base-icon.svg?alt=media" alt=""></div>

* Avoid setting default passwords.
* If you are setting "default" passwords:
  * Generate passwords using a cryptographically strong random generator, see the [Cryptography: Random Generators](https://0xn3va.gitbook.io/application-security-handbook/web-application/cryptography/random-generators) page.
  * Default passwords must follow the password policy, see the [Authentication: Password Policy](https://0xn3va.gitbook.io/application-security-handbook/web-application/authentication/password-policy) page.
  * Default passwords must expire after a short period (for example, 7 days).
  * A user must set a new password after the first authentication with a default password.
  * Prohibit setting a default password as a long-term one.