+1 for having an configurable option to use an old password. This gives security admins the flexibility to decide what best suite there security policies.
On Mon, Jun 20, 2016 at 4:35 PM, Dulanja Liyanage <[email protected]> wrote: > Yes, but in a scenario where multi-factor authentication is used, risk > might be minimal. Also, if the server is catering only internal > requirements, like in a corporate department, and not exposed to the > outside, having to change the password every 3 months or so on might affect > the usability. People tend to run out of passwords that could be easily > remembered. Then they might opt to write it somewhere. > > My suggestion is: default should be to force the user and not give him/her > the option to use the old password, but make it configurable so the > scenarios I mentioned above could be catered, if required. WDYT? > > On Mon, Jun 20, 2016 at 12:44 PM, Milan Perera <[email protected]> wrote: > >> >> Hi Dulanja, >> >> >>> There can be a requirement where the system forces the user to change >>> the password, but at the same time give him the option to use the old >>> password. I've seen some financial organizations doing this. >>> >>>> >>>>> >> IMO, letting use of one of old password again creates a security threat. >> Isn't it? >> >> Regards, >> -- >> *Milan Perera *| Software Engineer >> WSO2, Inc | lean. enterprise. middleware. >> #20, Palm Grove, Colombo 03, Sri Lanka >> Mobile: +94 77 309 7088 | Work: +94 11 214 5345 >> Email: [email protected] <[email protected]> | Web: www.wso2.com >> <http://lk.linkedin.com/in/milanharinduperera> >> > > > > -- > Thanks & Regards, > Dulanja Liyanage > Lead, Platform Security Team > WSO2 Inc. > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Best Regards, Prasad.
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
