By password change I mean when a logged on user decides to update their password i.e. they know the current password. The following need consider
- Remember to add the functionality in the first place as it is good practise
- Make sure the pages and responses are over HTTPS
- The user should have to enter their original password and it should be checked to see if it is valid
- Do not replace the step above with a secret question answer as these tend to be weak
- Do not include the username in a field or hidden field when entering data and then rely on it when processing the change. As it may be possible for the value to be tampered with using a dom explorer (F12) instead relied on the logged on user name server side i.e. User.Identity.Name
- Make sure the user must be logged on to access the functionality
- Make sure autocomplete is discouraged – prevent browsers autocompleting on shared computers
- Make sure caching is discouraged- prevent browsers using cached versions on shared computers
- Remember to apply your password policy
- On entering the original password incorrectly X times the account should lock (for a period of time)
- If you have sessionstamping turned on remember to make sure to force a relogon Security Stamping
- Email the user to tell them that a) the password is changed or b) the password is locked as someone tried to change it
- Do not include the new password in any email as it will probably end up on a phone which can be lost
