[WEB SECURITY] What's the best way to maintain password history?

Subin subin.net at gmail.com
Thu Nov 10 15:22:13 EST 2011


I'm looking for the best secure way to manage password history when an user resets(or creates a new) user id in a secure pci dss website.

Should we maintain single user Id per account and wipe out or overwrite the existing user Id and password history .
(this defeats the purpose of maintaining a password history as the user can always reuse the same Id and password)

Or

Should we create a new second user Id 
Associated to this account and make sure the previous Userid is not used again ? In this case should we map the old password history to new one or let the user use his previous passwords on the new id?

This is on top of the rsa two factor authentication , the credentials referred here are what is stored in the application database to enforce password history(passmark authentication does not enforce password history)

Please advise ,

Thanks
Subin

Sent from my iPhone






More information about the websecurity mailing list