👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  1. Web Application
  2. Authentication

Password Change

PreviousDefault PasswordsNextPassword Policy

Last updated 1 year ago

Overview

This page contains recommendations for the implementation of password change functionality.

General

  • Request at least the following data during password change:

    • Old password.

    • New password.

    • Confirmation of the new password.

  • Terminate all active sessions after changing a password.

  • Ask for a second factor when a user changes a password, if a multi-factor authentication is enabled.

Implement the CSRF protection, see the page.

Log successful and failed password change attempts, see the page.

Comply with requirements from the page.

Limit the number of attempts to change the password for a certain period, see the page.

Vulnerability Mitigation: Cross-Site Request Forgery (CSRF)
Logging and Monitoring
Error and Exception Handling
Vulnerability Mitigation: Brute-force