5. Create, change or renew a password
5.1. Do technical measures help the user to enter a strong password?
5.2. Are the conditions of password acceptability clearly displayed to the user in a way that the user can understand?
5.3. Are users guided through the password selection process to easily determine a strong, policy-compliant password?
5.4. If a non-compliant password is selected, is the rule that caused the password to be rejected clearly displayed to the user?
5.5. Is the user able to change his or her own password independently?
5.6. Aren't users required to change their passwords periodically?
5.7. Are privileged accounts required to change their passwords periodically?
5.8. When a reset is requested by the user, is only a message like "if an account exists, then an information is sent" displayed?
5.9. If the password renewal is done by sending a link or a token through another channel, is it done through a previously validated channel?
5.10. Are newly added or modified communication channels excluded from these mailings?
5.11. Is the user systematically notified when communication channels are added, modified or deleted?
5.12. If a link or token is sent to the user, is it a one-time use link or token?
5.13. If a link or token is sent to the user, does this link or token have a maximum validity of 24 hours?
5.14. If a link or token is sent to the user, are previously sent links or tokens automatically revoked?
5.15. If renewal requires answering secret questions, is information that is usually public (parents' names, place of study, pets' names, etc.) excluded?
5.16. Are the answers to these secret questions stored in a different location from the password or encrypted?
5.17. Is the user systematically notified when these secret questions are added, modified or deleted?