Ralph Andalis

Well, to be fair... CWE mapping needs a second look too.

Hi @tghosth, can you please assign this to me so that it doesn't go off my radar? I keep forgetting it. Thanks!

@tghosth, what if in NIST there is nothing that explicitly says anything about an administrator setting up a user's default password (i,e. the main reason we had this new 2.3.4...

Let me give it a few passes in reading to ensure I did not miss it somewhere in their docs. I will confirm here whatever I find out.

Hi @tghosth, I have read [NIST SP 800-63](https://pages.nist.gov/800-63-3/sp800-63b.html) with a few more passes and cannot really find anything close to this ASVS requirement we have added. However, for [NIST SP...

@elarlang, yes I think that's the best way to keep it that way. Yup, I think we can close this issue determining there's no clear mapping.

I like this requirement. The only question I have is the implementation of it. I cannot think of any clear solutions as of first reading this, but I think it...

@elarlang, I like the requirement but sounds too general and vague with the current form and I'm afraid it would be harder for anyone to understand and implement, _Verify that...

@elarlang, fair enough that 1.8.1 answers question number 1, so I agree let's leave it out of the new requirement to avoid confusion. I like the latest proposal for this...

That is a great question though.. In wishful thinking I think we should add something OAuth2 best practices as well. I believe a lot of developers are not aware how...