On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne <is...@wso2.com> wrote:
> HI all, > > I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following > are the currently identified improvements, > > > - Password History - > > Last 'n' number of passwords need to be maintained in user's history. When > user updates his password we don't allow him to choose one of these 'n' > passwords again. > > > - Periodic Password Reset - > > Force the user to periodically (configurable period) reset his password. > When doing this we need to leverage the password history feature as well. > > > CREATE TABLE IF NOT EXISTS idn_password_history_data > ( > user_name *VARCHAR*(255) NOT NULL, > user_domain *VARCHAR*(255) NOT NULL, > tenant_id *INTEGER* DEFAULT -1, > hash *VARCHAR*(255) NOT NULL, > time_created *TIMESTAMP* NOT NULL DEFAULT > CURRENT_TIMESTAMP, > PRIMARY KEY (user_name,user_domain,tenant_id, > hash), > ) > > > All the passwords which are supposed to store in this table are old > passwords (expired). > > - I think we don't need to use the same password hashing algorithm (with > or without salted value) which is defined user-mgt.xml for password history > validation. > IMO using the same hashing algo is cleaner. Isn't the current password also stored in this table? If stored, it's mandatory to use salting. > - admin users can change other user's passwords without giving their old > passwords. In that case, how can we find the old password hash value to > store for password history validation? > > > Your comments and suggestions are highly appreciated. > > Thanks > Isura. > > > Isura Dilhara Karunaratne > Senior Software Engineer > > Mob +94 772 254 810 > > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
