[WEB SECURITY] Fwd: What's the best way to maintain password history?
subin.net at gmail.com
Thu Nov 10 18:40:46 EST 2011
> From: Subin <subin.net at gmail.com>
> Date: November 10, 2011 3:22:13 PM EST
> To: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>
> Subject: [WEB SECURITY] What's the best way to maintain password history?
> I'm looking for the best secure way to manage password history when an user resets(or creates a new) user id in a secure pci dss website.
> Should we maintain single user Id per account and wipe out or overwrite the existing user Id and password history .
> (this defeats the purpose of maintaining a password history as the user can always reuse the same Id and password)
> Should we create a new second user Id
> Associated to this account and make sure the previous Userid is not used again ? In this case should we map the old password history to new one or let the user use his previous passwords on the new id?
> This is on top of the rsa two factor authentication , the credentials referred here are what is stored in the application database to enforce password history(passmark authentication does not enforce password history)
> Please advise ,
> Sent from my iPhone
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity