User password MUST be compliant with the password policy at both registration as well as password change and password reset functions.
As long as not specified differently by the password policy, the following minimum requirements1 for user passwords MUST apply:
Length >= 8 characters,
not repetitive or sequential characters (e.g. bbbbbbbb, 12345678),
not be identical with the username,
be masked on all HTML password fields,
not be logged or cached,
encrypted when transferred over insecure channels,
not transmitted in URLs and
stored as a salted secure hash, ideally with key stretching. This SHOULD be implemented with Argon2 ID, bcrypt, scrypt or PBKDF2 algorithm.
Initial user passwords MUST be changed by the user at first login.
Standard passwords (= set by the vendor) MUST NOT be used and replaced by strong
individual passwords.
Password visibility toggle to unmask HTML password fields CAN be implemented
B.6.2 Password Change Functions
Users MUST be able to change their own passwords.
Users SHOULD be indicated the strength of the current password choice when changing their passwords (using a password strength function).
Users MUST confirm a new password with their current ones.
Users SHOULD be informed when their password has changed (e.g. via e-mail notification).
B.6.3 Password Forgot Functions
MUST implement the same level of security protections as the user authentication function (e.g. anti-automation).
MUST be authorized by the user with the same method that is used as a second factor or (in case no second factor is used) for user identification (e.g. e-mail address). Ideally, by using a one one-time token (OTT) with limited validity sent as a second factor (e.g. to the registered user’s e-mail address or mobile phone).
MUST not affect the state of the user profile before the password reset is completed.