Password Change Recommendations
This page provides a password change process that can be used to securely reset a user's password. If your site or application contains anything that should be kept at all secure or even to prevent minor fraud including fraud from people falsely rating sites or products, you should follow these recommendations. These recommendations should be required by your project manager.
The user must already be logged into the site to be able to access the change password page.
The user must navigate to the Change Password page.
The user must enter their current password and two copies of the new password on the change password page.
The change password page will direct to another page when the user hits the submit button.
The password change will be made on the server and the user is informed whether it was successful or not. If the new password does not meet complexity rules, the user is informed what the failure was.
The server should send email to the email address on record for the account indicating a password change attempt noting whether it was successful or not.
The server should check to be sure the two new passwords match and update itself with the new password if they match.
The change password page must use the password field for all password boxes so the password is hidden from the screen.
The change password page cannot include information that can be used to change other account settings or information.
The change password page must not be cached in the user browser.
The change password page should direct to another page when the user hits the submit button.
The change password page should only allow three failed password change attempts in a single day and only one successful change in a single day. This will mitigate the need for a CAPTCHA function to prevent automatic entry. A failed attempt does not include a failure of the two copies of the new password to match.
The page that accepts the new passwords from the user should not be refreshable in the user browser.
The system should require the new password to meet minimum complexity rules including length, and at least three types of characters such as capital letters, lower case letters, numbers, and special characters.
The system should support password lengths of at least 127 two byte characters.
Hashes of the passwords entered should be sent using HTTPS to the server.
The server should always log attempts to change passwords whether they are successful or not. It should log the user's information but not any passwords entered or their hashes. It should note whether the change succeeded or failed.
The server should check to be sure the current password entered is correct. If not, it should indicate a password change failure.
If the old password hash matches the current password hash in the database, the server should compare the two new hashed passwords to see if they match. If they do, it should replace the old password hash with the new password hash in the database.