[WEB SECURITY] Fwd: What's the best way to maintain password history?

Subin subin.net at gmail.com
Thu Nov 10 18:40:46 EST 2011



> From: Subin <subin.net at gmail.com>
> Date: November 10, 2011 3:22:13 PM EST
> To: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>
> Subject: [WEB SECURITY] What's the best way to maintain password history?
> 
> I'm looking for the best secure way to manage password history when an user resets(or creates a new) user id in a secure pci dss website.
> 
> Should we maintain single user Id per account and wipe out or overwrite the existing user Id and password history .
> (this defeats the purpose of maintaining a password history as the user can always reuse the same Id and password)
> 
> Or
> 
> Should we create a new second user Id 
> Associated to this account and make sure the previous Userid is not used again ? In this case should we map the old password history to new one or let the user use his previous passwords on the new id?
> 
> This is on top of the rsa two factor authentication , the credentials referred here are what is stored in the application database to enforce password history(passmark authentication does not enforce password history)
> 
> Please advise ,
> 
> Thanks
> Subin
> 
> Sent from my iPhone
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20111110/b0fe0f83/attachment-0003.html>


More information about the websecurity mailing list