Password changing without notification

Hello there
Given I know a password is a personal secreto to gain access into a system and exist password reset emails and the whole process of reset must be done by the user. I have the doubt about If an account with administrative privileges change an user’s password without knowning the previous password and after the password is change the user is not notificated about the change. It should be considered as FIN.S.0033 Change of password without verification?
I think this design of the process could affect the disponibility of the user account

Could you update the initial question with:

  • your previous research on the topic

  • complete name of FIN.S.0033

  • your initial analysis and conclusions

Then we could build from there to give you the appropiarte advise

The situation you are describing is breaking this rule so I think it could be reported as that finding or as an insecure configuration

1 Like