On Mon, Jun 20, 2016 at 12:11 PM, Dulanja Liyanage <dula...@wso2.com> wrote:
> > > On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne <is...@wso2.com> > wrote: > >> HI all, >> >> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following >> are the currently identified improvements, >> >> >> - Password History - >> >> Last 'n' number of passwords need to be maintained in user's history. >> When user updates his password we don't allow him to choose one of these >> 'n' passwords again. >> >> >> - Periodic Password Reset - >> >> Force the user to periodically (configurable period) reset his password. >> When doing this we need to leverage the password history feature as well. >> >> There can be a requirement where the system forces the user to change the password, but at the same time give him the option to use the old password. I've seen some financial organizations doing this. > >> >> CREATE TABLE IF NOT EXISTS idn_password_history_data >> ( >> user_name *VARCHAR*(255) NOT NULL, >> user_domain *VARCHAR*(255) NOT NULL, >> tenant_id *INTEGER* DEFAULT -1, >> hash *VARCHAR*(255) NOT NULL, >> time_created *TIMESTAMP* NOT NULL DEFAULT >> CURRENT_TIMESTAMP, >> PRIMARY KEY (user_name,user_domain,tenant_id, >> hash), >> ) >> >> >> All the passwords which are supposed to store in this table are old >> passwords (expired). >> >> - I think we don't need to use the same password hashing algorithm (with >> or without salted value) which is defined user-mgt.xml for password history >> validation. >> > > IMO using the same hashing algo is cleaner. Isn't the current password > also stored in this table? If stored, it's mandatory to use salting. > > >> - admin users can change other user's passwords without giving their old >> passwords. In that case, how can we find the old password hash value to >> store for password history validation? >> >> >> Your comments and suggestions are highly appreciated. >> >> Thanks >> Isura. >> >> >> Isura Dilhara Karunaratne >> Senior Software Engineer >> >> Mob +94 772 254 810 >> >> > > > -- > Thanks & Regards, > Dulanja Liyanage > Lead, Platform Security Team > WSO2 Inc. > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
