Hi Dulanja, On Mon, Jun 20, 2016 at 12:14 PM, Dulanja Liyanage <[email protected]> wrote:
> > > On Mon, Jun 20, 2016 at 12:11 PM, Dulanja Liyanage <[email protected]> > wrote: > >> >> >> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne <[email protected]> >> wrote: >> >>> HI all, >>> >>> I am working on $subject for WSO2 Identity Sever 5.3.0 release. >>> Following are the currently identified improvements, >>> >>> >>> - Password History - >>> >>> Last 'n' number of passwords need to be maintained in user's history. >>> When user updates his password we don't allow him to choose one of these >>> 'n' passwords again. >>> >>> >>> - Periodic Password Reset - >>> >>> Force the user to periodically (configurable period) reset his password. >>> When doing this we need to leverage the password history feature as well. >>> >>> > There can be a requirement where the system forces the user to change the > password, but at the same time give him the option to use the old password. > I've seen some financial organizations doing this. > If we are going to support this cofiguration, I think it is better to user same hashing method. > >>> >>> CREATE TABLE IF NOT EXISTS idn_password_history_data >>> ( >>> user_name *VARCHAR*(255) NOT NULL, >>> user_domain *VARCHAR*(255) NOT NULL, >>> tenant_id *INTEGER* DEFAULT -1, >>> hash *VARCHAR*(255) NOT NULL, >>> time_created *TIMESTAMP* NOT NULL DEFAULT >>> CURRENT_TIMESTAMP, >>> PRIMARY KEY (user_name,user_domain,tenant_id, >>> hash), >>> ) >>> >>> >>> All the passwords which are supposed to store in this table are old >>> passwords (expired). >>> >>> - I think we don't need to use the same password hashing algorithm >>> (with or without salted value) which is defined user-mgt.xml for password >>> history validation. >>> >> >> IMO using the same hashing algo is cleaner. Isn't the current password >> also stored in this table? If stored, it's mandatory to use salting. >> > Current password will not store in the new table. > >> >>> - admin users can change other user's passwords without giving their old >>> passwords. In that case, how can we find the old password hash value to >>> store for password history validation? >>> >>> >>> Your comments and suggestions are highly appreciated. >>> >>> Thanks >>> Isura. >>> >>> >>> Isura Dilhara Karunaratne >>> Senior Software Engineer >>> >>> Mob +94 772 254 810 >>> >>> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> > > > > -- > Thanks & Regards, > Dulanja Liyanage > Lead, Platform Security Team > WSO2 Inc. > -- Isura Dilhara Karunaratne Senior Software Engineer Mob +94 772 254 810
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
