Password Change

Overview

This page contains recommendations for the implementation of password change functionality.

General

• Request at least the following data during password change:

  • Old password.

  • New password.

  • Confirmation of the new password.

• Terminate all active sessions after changing a password.

• Implement the CSRF protection, see the Vulnerability Mitigation: Cross-Site Request Forgery (CSRF) page.

• Log successful and failed password change attempts, see the Logging and Monitoring page.

• Comply with requirements from the Error and Exception Handling page.

• Limit the number of attempts to change the password for a certain period, see the Vulnerability Mitigation: Brute-force page.

• Ask for a second factor when a user changes a password, if a multi-factor authentication is enabled.