SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.
Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call). A phone call is the preferred method.