Yes, but in a scenario where multi-factor authentication is used, risk might be minimal. Also, if the server is catering only internal requirements, like in a corporate department, and not exposed to the outside, having to change the password every 3 months or so on might affect the usability. People tend to run out of passwords that could be easily remembered. Then they might opt to write it somewhere.
My suggestion is: default should be to force the user and not give him/her the option to use the old password, but make it configurable so the scenarios I mentioned above could be catered, if required. WDYT? On Mon, Jun 20, 2016 at 12:44 PM, Milan Perera <[email protected]> wrote: > > Hi Dulanja, > > >> There can be a requirement where the system forces the user to change the >> password, but at the same time give him the option to use the old >> password. I've seen some financial organizations doing this. >> >>> >>>> > IMO, letting use of one of old password again creates a security threat. > Isn't it? > > Regards, > -- > *Milan Perera *| Software Engineer > WSO2, Inc | lean. enterprise. middleware. > #20, Palm Grove, Colombo 03, Sri Lanka > Mobile: +94 77 309 7088 | Work: +94 11 214 5345 > Email: [email protected] <[email protected]> | Web: www.wso2.com > <http://lk.linkedin.com/in/milanharinduperera> > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
