Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

How to Comply

Transfer temporary passwords securely

 Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call).  A phone call is the preferred method.

Require password changes

When creating passwords, administrators must ensure that they are set to be changed after first use.