Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Application Security and Development Security Technical Implementation Guide
SRG-APP-000516
The application password must not be changeable by users other than the administrator or the user with which the password is associated.
The application password must not be changeable by users other than the administrator or the user with which the password is associated.
An XCCDF Rule
Details
Profiles
Prose
The application password must not be changeable by users other than the administrator or the user with which the password is associated.
Medium Severity
<VulnDiscussion>If the application allows user A to change user B's password, user B can be locked out of the application, and user A is provided the ability to grant themselves access to the application as user B. This violates application integrity and availability principles. Many applications provide a password reset capability that allows the user to reset their password if they forget it. Protections must be utilized when establishing a password change or reset capability to prevent user A from changing user B's password. Protection is usually accomplished by having each user provide an out of bounds (OOB) communication address such as a separate email address or SMS/text address (mobile phone) that can be used to transmit password reset/change information. This OOB information is usually provided by the user when the user account is created. The OOB information is validated as part of the user account creation process by sending an account validation request to the OOB address and having the user respond to the request. Applications must prevent users other than the administrator or the user associated with the account from changing the account password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>