Hi Omindu,
On Mon, Mar 13, 2017 at 5:00 PM, Omindu Rathnaweera <[email protected]> wrote: > Hi, > > On Sun, Mar 12, 2017 at 7:59 AM, Ruwan Abeykoon <[email protected]> wrote: > >> Hi All, >> Can the hash algorithm change over the time? >> If so we need to record the hash algorithm used to do hashing along with >> the particular password history record. We need to use the particular >> algorithm to do the comparison, not the system configured one. >> > > In addition to the hashing algo, we should store the key length and the > iteration count. We have given the option to configure these properties for > the credential stores and we should do the same for password history > management. Since we are storing the current password in the history table, > the hashing mechanism should be similar to that of the credential stores. > I don't think we need to use hashing algorithm since we are using salted password. We store the passwords in password history table only if we enable this feature. So, the clients who don't like to duplicate their passwords in Identity tables can disable the password history feature and use the feature supported in relavant user store such Active Directory. Thanks Isura. > > Regards, > Omindu. > > >> >> Cheers, >> Ruwan >> >> >> On Sun, Mar 12, 2017 at 7:44 AM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> Hi All, >>> >>> We are in the process of implementing password history validation >>> feature for IS 6.0.0. Architecture of this feature was previously discussed >>> in [1] by Isura for IS 5.3.0. We plan to follow same architecture with >>> minor changes. >>> >>> Previously history validation has been done by checking only last 'n' >>> number of attempts. Ex. you cannot use a password which is inside last 5 >>> attempts. This time we additionally validate time factor as well Ex. you >>> cannot use a password, if there is a similar password with created date >>> inside last 7days. >>> >>> Table structure will be changed as below since we have unique user ID in >>> C5. >>> >>> *Previous * >>> >>> CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( >>> ID INTEGER NOT NULL AUTO_INCREMENT, >>> USER_NAME VARCHAR(255) NOT NULL, >>> USER_DOMAIN VARCHAR(127) NOT NULL, >>> TENANT_ID INTEGER DEFAULT -1, >>> SALT_VALUE VARCHAR(255), >>> HASH VARCHAR(255) NOT NULL, >>> TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, >>> PRIMARY KEY(ID), >>> UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) >>> )ENGINE INNODB; >>> >>> >>> *New * >>> CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( >>> ID INTEGER NOT NULL AUTO_INCREMENT, >>> USER_UNIQUE_ID VARCHAR(255) NOT NULL, >>> SALT_VALUE VARCHAR(255), >>> HASH VARCHAR(255) NOT NULL, >>> TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, >>> PRIMARY KEY(ID), >>> UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) >>> )ENGINE INNODB; >>> >>> Password Hashing algorithm will be a configurable property. >>> >>> [1] [Architecture] Force Password Reset and Password History validation >>> >>> Thanks, >>> Gayan >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> >> *Ruwan Abeykoon* >> *Associate Director/Architect**,* >> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >> *lean.enterprise.middleware.* >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Omindu Rathnaweera > Software Engineer, WSO2 Inc. > Mobile: +94 771 197 211 <+94%2077%20119%207211> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
