Hi Pushpalanka/Isura,
On Mon, Jun 20, 2016 at 4:50 PM, Pushpalanka Jayawardhana
wrote:
> Hi Isura,
>
> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne
> wrote:
>
>> HI all,
>>
>> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following
>>
Hi,
As I see these two requirements are orthogonal and better to discuss in
separate threads. If we consider one by one,
1. Password History Validation.
This is another layer of password pattern validation, which is done when an
user try to change his password.
Hashing method of old password
Hi Isura,
On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne wrote:
> HI all,
>
> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following
> are the currently identified improvements,
>
>
>- Password History -
>
> Last 'n' number of passwords need to be
Hi,
> All the passwords which are supposed to store in this table are old
>> passwords (expired).
>>
>> - I think we don't need to use the same password hashing algorithm (with
>> or without salted value) which is defined user-mgt.xml for password history
>> validation.
>>
>
> IMO using the
Hi Dulanja,
On Mon, Jun 20, 2016 at 12:14 PM, Dulanja Liyanage wrote:
>
>
> On Mon, Jun 20, 2016 at 12:11 PM, Dulanja Liyanage
> wrote:
>
>>
>>
>> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne
>> wrote:
>>
>>> HI all,
>>>
>>> I am
>
> My suggestion is: default should be to force the user and not give him/her
>> the option to use the old password, but make it configurable so the
>> scenarios I mentioned above could be catered, if required. WDYT?
>>
>
+1 for having it as an configurable option
--
*Milan Perera *|
+1 for having an configurable option to use an old password. This gives
security admins the flexibility to decide what best suite there security
policies.
On Mon, Jun 20, 2016 at 4:35 PM, Dulanja Liyanage wrote:
> Yes, but in a scenario where multi-factor authentication is
Yes, but in a scenario where multi-factor authentication is used, risk
might be minimal. Also, if the server is catering only internal
requirements, like in a corporate department, and not exposed to the
outside, having to change the password every 3 months or so on might affect
the usability.
Hi Dulanja,
> There can be a requirement where the system forces the user to change the
> password, but at the same time give him the option to use the old password.
> I've seen some financial organizations doing this.
>
>>
>>>
IMO, letting use of one of old password again creates a security
Hi Harsha,
Agree. This use case is normally valid when the password recovery option is
disabled.
Thanks,
Kasun.
On Mon, Jun 20, 2016 at 12:04 PM, Harsha Thirimanna
wrote:
> Hi Kasun,
> User has a password recovery option to do that. No need to do that by
> admin. Please make
On Mon, Jun 20, 2016 at 12:11 PM, Dulanja Liyanage wrote:
>
>
> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne
> wrote:
>
>> HI all,
>>
>> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following
>> are the currently identified
On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne wrote:
> HI all,
>
> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following
> are the currently identified improvements,
>
>
>- Password History -
>
> Last 'n' number of passwords need to be maintained in
Hi Kasun,
User has a password recovery option to do that. No need to do that by
admin. Please make me correct if I am wrong.
On Jun 20, 2016 11:41 AM, "Kasun Bandara" wrote:
> Hi Harsha,
>
> On Mon, Jun 20, 2016 at 11:27 AM, Harsha Thirimanna
> wrote:
>
>> Hi
Hi Harsha,
On Mon, Jun 20, 2016 at 11:27 AM, Harsha Thirimanna
wrote:
> Hi Isura,
>
> I have one concern , please read the inline comments.
>
> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne
> wrote:
>
>> HI all,
>>
>> I am working on $subject for WSO2
Hi Isura,
I have one concern , please read the inline comments.
On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne wrote:
> HI all,
>
> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following
> are the currently identified improvements,
>
>
>- Password
HI all,
I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following
are the currently identified improvements,
- Password History -
Last 'n' number of passwords need to be maintained in user's history. When
user updates his password we don't allow him to choose one of these
16 matches
Mail list logo