This standard describes one option for user security as username/password. If username / passwords are used, they should follow site specific rules and passwords should be secured both in transit and in storage. Usernames should be able to be changed. Passwords should not be hardcoded as part of an application. They should be able to be managed by administrative users. Passwords should follow the password complexity and timeout rules associated with a site CSMS.