[WEB SECURITY] What's the best way to maintain password history?

Justin Scott leviathan at darktech.org
Thu Nov 10 18:23:39 EST 2011


> I'm looking for the best secure way to manage password
> history when an user resets(or creates a new) user id in
> a secure pci dss website.

It's a pretty rare website that I've seen that allows someone to
change their username or id once the account has been established.  If
you're allowing the username / id to be changed, I would link that to
their existing account records in the database to maintain a
consistent history of the account.  As for passwords, just store a
salted hash of their previous passwords for comparison to ensure they
don't re-use an older one.  I don't recall any specific rules around
reusing usernames, though you could do much the same if you want/need
to prevent their reuse.


-Justin Scott




More information about the websecurity mailing list