[WEB SECURITY] What's the best way to maintain password history?

Vance, Michael Michael.Vance at salliemae.com
Fri Nov 11 07:54:27 EST 2011


>> I'm looking for the best secure way to manage password
>> history when an user resets(or creates a new) user id in
>> a secure pci dss website.

>It's a pretty rare website that I've seen that allows someone to
>change their username or id once the account has been established.

It's actually very common if the site uses e-mail address as username or if it has a "Forgot User ID" function that uses e-mail to deliver the forgotten ID. There is always the chance that the user no longer has access to the e-mail address that is on file. Though we are in a day and age where everyone *could* obtain and use a "permanent" e-mail address, they do still change when someone uses a work or school address or if they have too much spam and decide to just junk an address and create a new one.

-Michael




More information about the websecurity mailing list