Application Security Handbook

Application Security Handbook
Web Application

Powered by GitBook

On this page

Web Application

Authentication

Password Change

PreviousDefault Passwords NextPassword Policy

Last updated 1 year ago

Overview

This page contains recommendations for the implementation of password change functionality.

General

Request at least the following data during password change:
- Old password.
- New password.
- Confirmation of the new password.
Terminate all active sessions after changing a password.
Implement the CSRF protection, see the Vulnerability Mitigation: Cross-Site Request Forgery (CSRF) page.
Log successful and failed password change attempts, see the Logging and Monitoring page.
Comply with requirements from the Error and Exception Handling page.

Limit the number of attempts to change the password for a certain period, see the Vulnerability Mitigation: Brute-force page.
Ask for a second factor when a user changes a password, if a multi-factor authentication is enabled.

Overview
General