[
https://issues.apache.org/jira/browse/SYNCOPE-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543304#comment-16543304
]
ASF subversion and git services commented on SYNCOPE-1337:
----------------------------------------------------------
Commit a4710ca6f8ccc176539445491ef35de4c698f303 in syncope's branch
refs/heads/2_0_X from [~ilgrosso]
[ https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=a4710ca ]
[SYNCOPE-1337] Do not check password history by simple String comparison, use
Encryptor#verify as authentication does
> Password history policy is not enforced on salted passwords
> -----------------------------------------------------------
>
> Key: SYNCOPE-1337
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1337
> Project: Syncope
> Issue Type: Bug
> Components: core
> Affects Versions: 2.0.9, 2.1.0
> Reporter: Andrea Patricelli
> Assignee: Francesco Chicchiriccò
> Priority: Major
> Fix For: 2.0.10, 2.1.1, 3.0.0
>
>
> # Define a password policy and set history to a value > 0 (even 1 is good).
> # Set configuration parameter password.cipher.algorithm to a salted
> algorithm, say SSHA512 for example.
> # Create and user with a password.
> # Try to edit (more times if you like, in order to populate password
> history) user by changing the password (password management or edit wizard)
> to the same value or a value that you are sure that is in the password
> history (to trigger the policy). You'll see that the password is updated to
> the already used value and the history policy is not triggered.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
