Hi,
> All the passwords which are supposed to store in this table are old >> passwords (expired). >> >> - I think we don't need to use the same password hashing algorithm (with >> or without salted value) which is defined user-mgt.xml for password history >> validation. >> > > IMO using the same hashing algo is cleaner. Isn't the current password > also stored in this table? If stored, it's mandatory to use salting. > I believe we should use either the hashing algorithm specified in the user-mgt.xml or provide a separate config to specify a hashing algo for password history. Consider the following scenario. Let's say we have specified the hashing algo in user-mgt.xml as SHA-512 and we use SHA-256 (hard coded) to store old passwords. Given that the user has the option to maintain the old password during a periodic password reset, then the old password will be the same as the existing password if the user decides to stick with the old password. Now, in the history table the current password will be stored in a much weaker hash. This doesn't seems right, does it ? Also using the hashing algorithm specified in the user-mgt.xml or a different config means that we'll have to store the hashing algo in the history table. Regards, Omindu. > > >> - admin users can change other user's passwords without giving their old >> passwords. In that case, how can we find the old password hash value to >> store for password history validation? >> >> >> Your comments and suggestions are highly appreciated. >> >> Thanks >> Isura. >> >> >> Isura Dilhara Karunaratne >> Senior Software Engineer >> >> Mob +94 772 254 810 >> >> > > > -- > Thanks & Regards, > Dulanja Liyanage > Lead, Platform Security Team > WSO2 Inc. > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
