For accountability purposes, system admins should not know other system admins' passwords.
When creating a new user account or resetting the password of an existing user account, three things should occur:
- The system should generate a new password at random.
- The initial password should be sent to the user via email.
- The user should be required to change their password at first login.
Please see NIST SP 800-63B §5.1.1 ff. for additional password best practices that support various security and compliance frameworks.
Please sign in to leave a comment.