[WEB SECURITY] What's the best way to maintain password history?
subin.net at gmail.com
Thu Nov 10 20:10:14 EST 2011
I dnt remember using user id reset feature either , to my surprise major banks / cards do allow to reset user Id.
Most of the implementations I see follows the same process of creating a new user login during reset(irrespective of whether you provide a new user I'd or a the same old one) and it wipes out the existing data allowing only one user Id associated to an account . And hence allowing user to have same old user id and password always, after reset.
This negates the purpose of password history feature , but I see this implementation very common so was wondering if this is really the right thing to do?
But again even if it dint allow this and the application remembers last 4 passwords , the user can reset the password 4 times allowing him to reuse the same old password, very few sites restrict the no of password reset you can do on a day,
Sent from my iPhone
On Nov 10, 2011, at 6:23 PM, Justin Scott <leviathan at darktech.org> wrote:
>> I'm looking for the best secure way to manage password
>> history when an user resets(or creates a new) user id in
>> a secure pci dss website.
> It's a pretty rare website that I've seen that allows someone to
> change their username or id once the account has been established. If
> you're allowing the username / id to be changed, I would link that to
> their existing account records in the database to maintain a
> consistent history of the account. As for passwords, just store a
> salted hash of their previous passwords for comparison to ensure they
> don't re-use an older one. I don't recall any specific rules around
> reusing usernames, though you could do much the same if you want/need
> to prevent their reuse.
> -Justin Scott
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity