[WEB SECURITY] What's the best way to maintain password history?
leviathan at darktech.org
Thu Nov 10 18:23:39 EST 2011
> I'm looking for the best secure way to manage password
> history when an user resets(or creates a new) user id in
> a secure pci dss website.
It's a pretty rare website that I've seen that allows someone to
change their username or id once the account has been established. If
you're allowing the username / id to be changed, I would link that to
their existing account records in the database to maintain a
consistent history of the account. As for passwords, just store a
salted hash of their previous passwords for comparison to ensure they
don't re-use an older one. I don't recall any specific rules around
reusing usernames, though you could do much the same if you want/need
to prevent their reuse.
More information about the websecurity