Verify that user set passwords are at least 8 characters in length although a minimum of 15 characters is strongly recommended.
Verify that user set passwords are at least 8 characters in length although a minimum of 15 characters is strongly recommended.
Verify that users can change their password.
Verify that users can change their password.
Verify that password change functionality requires the user's current and new password.
Verify that password change functionality requires the user's current and new password.
Verify that passwords submitted during account registration or password change are checked against an available set of, at least, the top 3000 passwords which match the application's password policy, e.g. minimum length.
Verify that passwords submitted during account registration or password change are checked against an available set of, at least, the top 3000 passwords which match the application's password policy, e.g. minimum length.
Verify that passwords of any composition can be used, without rules limiting the type of characters permitted. There must be no requirement for a minimum number of upper or lower case characters, numbers, or special characters.
Verify that passwords of any composition can be used, without rules limiting the type of characters permitted. There must be no requirement for a minimum number of upper or lower case characters, numbers, or special characters.
Verify that password input fields use type=password to mask the entry. Applications may allow the user to temporarily view the entire masked password, or the last typed character of the password.
Verify that password input fields use type=password to mask the entry. Applications may allow the user to temporarily view the entire masked password, or the last typed character of the password.
Verify that "paste" functionality, browser password helpers, and external password managers are permitted.
Verify that "paste" functionality, browser password helpers, and external password managers are permitted.
Verify that the application verifies the user's password exactly as received from the user, without any modifications such as truncation or case transformation.
Verify that the application verifies the user's password exactly as received from the user, without any modifications such as truncation or case transformation.
Verify that passwords of at least 64 characters are permitted.
Verify that passwords of at least 64 characters are permitted.
Verify that a user's password stays valid until it is discovered to be compromised or the user rotates it. The application must not require periodic credential rotation.
Verify that a user's password stays valid until it is discovered to be compromised or the user rotates it. The application must not require periodic credential rotation.
Verify that the documented list of context specific words is used to prevent easy to guess passwords being created.
Verify that the documented list of context specific words is used to prevent easy to guess passwords being created.
Verify that passwords submitted during account registration or password changes are checked against a set of breached passwords.
Verify that passwords submitted during account registration or password changes are checked against a set of breached passwords.