Force Users to Change Initial Password at First LogonCompleted
For accountability purposes, system admins should not know other system admins' passwords.
When creating a new user account or resetting the password of an existing user account, three things should occur:
- The system should generate a new password at random.
- The initial password should be sent to the user via email.
- The user should be required to change their password at first login.
Please see NIST SP 800-63B §5.1.1 ff. for additional password best practices that support various security and compliance frameworks.
As of 8/11/2022, the "User Activation" feature was deployed that removes the ability for an Admin to set a password for any user. Thus forcing them to send out an "Initial Password" activation link that when clicked allows the user to set their own password.
As an additional note, we will be closing this site down as it has been replaced by our new "Roadmap" that can be found here: https://github.com/AutoElevate/roadmap#readmeComment actions
Please sign in to leave a comment.