Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi Pushpalanka/Isura, On Mon, Jun 20, 2016 at 4:50 PM, Pushpalanka Jayawardhana wrote: > Hi Isura, > > On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne > wrote: > >> HI all, >> >> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following >>

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi, As I see these two requirements are orthogonal and better to discuss in separate threads. If we consider one by one, 1. Password History Validation. This is another layer of password pattern validation, which is done when an user try to change his password. Hashing method of old password

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi Isura, On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne wrote: > HI all, > > I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following > are the currently identified improvements, > > >- Password History - > > Last 'n' number of passwords need to be

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi, > All the passwords which are supposed to store in this table are old >> passwords (expired). >> >> - I think we don't need to use the same password hashing algorithm (with >> or without salted value) which is defined user-mgt.xml for password history >> validation. >> > > IMO using the

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi Dulanja, On Mon, Jun 20, 2016 at 12:14 PM, Dulanja Liyanage wrote: > > > On Mon, Jun 20, 2016 at 12:11 PM, Dulanja Liyanage > wrote: > >> >> >> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne >> wrote: >> >>> HI all, >>> >>> I am

Re: [Dev] [Architecture] Force Password Reset and Password History validation

> > My suggestion is: default should be to force the user and not give him/her >> the option to use the old password, but make it configurable so the >> scenarios I mentioned above could be catered, if required. WDYT? >> > ​+1 for having it as an configurable option​ -- *Milan Perera *|

Re: [Dev] [Architecture] Force Password Reset and Password History validation

+1 for having an configurable option to use an old password. This gives security admins the flexibility to decide what best suite there security policies. On Mon, Jun 20, 2016 at 4:35 PM, Dulanja Liyanage wrote: > Yes, but in a scenario where multi-factor authentication is

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Yes, but in a scenario where multi-factor authentication is used, risk might be minimal. Also, if the server is catering only internal requirements, like in a corporate department, and not exposed to the outside, having to change the password every 3 months or so on might affect the usability.

Re: [Dev] [Architecture] Force Password Reset and Password History validation

​Hi Dulanja,​ > There can be a requirement where the system forces the user to change the > password, but at the same time give him the option to use the old password. > I've seen some financial organizations doing this. > >> >>> IMO, letting use of one of ​old password again creates a security

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi Harsha, Agree. This use case is normally valid when the password recovery option is disabled. Thanks, Kasun. On Mon, Jun 20, 2016 at 12:04 PM, Harsha Thirimanna wrote: > Hi Kasun, > User has a password recovery option to do that. No need to do that by > admin. Please make

Re: [Dev] [Architecture] Force Password Reset and Password History validation

On Mon, Jun 20, 2016 at 12:11 PM, Dulanja Liyanage wrote: > > > On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne > wrote: > >> HI all, >> >> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following >> are the currently identified

Re: [Dev] [Architecture] Force Password Reset and Password History validation

On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne wrote: > HI all, > > I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following > are the currently identified improvements, > > >- Password History - > > Last 'n' number of passwords need to be maintained in

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi Kasun, User has a password recovery option to do that. No need to do that by admin. Please make me correct if I am wrong. On Jun 20, 2016 11:41 AM, "Kasun Bandara" wrote: > Hi Harsha, > > On Mon, Jun 20, 2016 at 11:27 AM, Harsha Thirimanna > wrote: > >> Hi

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi Harsha, On Mon, Jun 20, 2016 at 11:27 AM, Harsha Thirimanna wrote: > Hi Isura, > > I have one concern , please read the inline comments. > > On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne > wrote: > >> HI all, >> >> I am working on $subject for WSO2

Re: [Dev] [Architecture] Force Password Reset and Password History validation

Hi Isura, I have one concern , please read the inline comments. On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne wrote: > HI all, > > I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following > are the currently identified improvements, > > >- Password

[Dev] [Architecture] Force Password Reset and Password History validation

HI all, I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following are the currently identified improvements, - Password History - Last 'n' number of passwords need to be maintained in user's history. When user updates his password we don't allow him to choose one of these