Force Users to Change Initial Password at First Logon

Completed
Follow
Avatar
Bryan Sullo

For accountability purposes, system admins should not know other system admins' passwords.

When creating a new user account or resetting the password of an existing user account, three things should occur:

  1. The system should generate a new password at random.
  2. The initial password should be sent to the user via email.
  3. The user should be required to change their password at first login.

Please see NIST SP 800-63B §5.1.1 ff. for additional password best practices that support various security and compliance frameworks.

5

Comments

2 comments

Sort by Date Votes
  • Official comment
    Avatar
    Dave Sibiski

    As of 8/11/2022, the "User Activation" feature was deployed that removes the ability for an Admin to set a password for any user. Thus forcing them to send out an "Initial Password" activation link that when clicked allows the user to set their own password.

    As an additional note, we will be closing this site down as it has been replaced by our new "Roadmap" that can be found here: https://github.com/AutoElevate/roadmap#readme

    Comment actions Permalink
  • Avatar
    Chance Dority

    I agree with this.

    1
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post