[WEB SECURITY] What's the best way to maintain password history?

Subin subin.net at gmail.com
Thu Nov 10 20:10:14 EST 2011


Hi justin,

I dnt remember using user id reset feature either , to my surprise major banks / cards do allow to reset user Id.

Most of the implementations I see follows the same process of creating a new user login during reset(irrespective of whether you provide a new user I'd or a the same old  one) and it wipes out the existing data allowing only one user Id associated to an account . And hence allowing user to have same old user id and password always, after reset. 

This negates the purpose of password history feature , but I see this implementation very common so was wondering if this is really the right thing to do?

But again even if it dint allow this and the application remembers last 4 passwords , the user can reset the password 4 times allowing him to reuse the same old password, very few sites restrict the no of password reset you can do on a day, 

Thanks
Subin






Sent from my iPhone

On Nov 10, 2011, at 6:23 PM, Justin Scott <leviathan at darktech.org> wrote:

>> I'm looking for the best secure way to manage password
>> history when an user resets(or creates a new) user id in
>> a secure pci dss website.
> 
> It's a pretty rare website that I've seen that allows someone to
> change their username or id once the account has been established.  If
> you're allowing the username / id to be changed, I would link that to
> their existing account records in the database to maintain a
> consistent history of the account.  As for passwords, just store a
> salted hash of their previous passwords for comparison to ensure they
> don't re-use an older one.  I don't recall any specific rules around
> reusing usernames, though you could do much the same if you want/need
> to prevent their reuse.
> 
> 
> -Justin Scott
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list