Identity Management / Same Password Accepted in "Password Reset" Functionality

Web and API


Same password accepted in "password reset" functionality is an IT vulnerability that falls under the category of Identity Management. It is described in the Common Vulnerability Enumeration (CWE) directory as CWE-798. According to the OWASP Testing Guide, this vulnerability occurs when a web or API application allows the same password to be used for both the initial password and the password reset. This can lead to an attacker being able to bypass the password reset functionality and gain access to a system.


This vulnerability poses a serious security risk as it allows an attacker to easily access a system that is meant to be secure. As a result, confidential information could be accessed, stolen, and/or manipulated. The risk of this vulnerability should be assessed on a case-by-case basis.


The solution to this vulnerability is to ensure that the password reset functionality requires a different password than the initial password. This will ensure that the system is properly secured and that an attacker cannot bypass the password reset and gain access to the system.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.