I'm looking for the best secure way to manage password
history when an user resets(or creates a new) user id in
a secure pci dss website.
It's a pretty rare website that I've seen that allows someone to
change their username or id once the account has been established. If
you're allowing the username / id to be changed, I would link that to
their existing account records in the database to maintain a
consistent history of the account. As for passwords, just store a
salted hash of their previous passwords for comparison to ensure they
don't re-use an older one. I don't recall any specific rules around
reusing usernames, though you could do much the same if you want/need
to prevent their reuse.
-Justin Scott
One drawback in relying solely on a hash for password history policy
enforcement is that won't allow you to perform any level of character
analysis for similarity to previous passwords, only identical ones. A
slightly more complicated but also more flexible system would involve
encryption rather than hashing. This technique is complicated due to the
need for key management.
Darren
On Thu, Nov 10, 2011 at 6:23 PM, Justin Scott leviathan@darktech.orgwrote:
I'm looking for the best secure way to manage password
history when an user resets(or creates a new) user id in
a secure pci dss website.
It's a pretty rare website that I've seen that allows someone to
change their username or id once the account has been established. If
you're allowing the username / id to be changed, I would link that to
their existing account records in the database to maintain a
consistent history of the account. As for passwords, just store a
salted hash of their previous passwords for comparison to ensure they
don't re-use an older one. I don't recall any specific rules around
reusing usernames, though you could do much the same if you want/need
to prevent their reuse.
-Justin Scott
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Thank you,
Darren Bounds
Hi justin,
I dnt remember using user id reset feature either , to my surprise major banks / cards do allow to reset user Id.
Most of the implementations I see follows the same process of creating a new user login during reset(irrespective of whether you provide a new user I'd or a the same old one) and it wipes out the existing data allowing only one user Id associated to an account . And hence allowing user to have same old user id and password always, after reset.
This negates the purpose of password history feature , but I see this implementation very common so was wondering if this is really the right thing to do?
But again even if it dint allow this and the application remembers last 4 passwords , the user can reset the password 4 times allowing him to reuse the same old password, very few sites restrict the no of password reset you can do on a day,
Thanks
Subin
Sent from my iPhone
On Nov 10, 2011, at 6:23 PM, Justin Scott leviathan@darktech.org wrote:
I'm looking for the best secure way to manage password
history when an user resets(or creates a new) user id in
a secure pci dss website.
It's a pretty rare website that I've seen that allows someone to
change their username or id once the account has been established. If
you're allowing the username / id to be changed, I would link that to
their existing account records in the database to maintain a
consistent history of the account. As for passwords, just store a
salted hash of their previous passwords for comparison to ensure they
don't re-use an older one. I don't recall any specific rules around
reusing usernames, though you could do much the same if you want/need
to prevent their reuse.
-Justin Scott
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I'm looking for the best secure way to manage password
history when an user resets(or creates a new) user id in
a secure pci dss website.
It's a pretty rare website that I've seen that allows someone to
change their username or id once the account has been established.
It's actually very common if the site uses e-mail address as username or if it has a "Forgot User ID" function that uses e-mail to deliver the forgotten ID. There is always the chance that the user no longer has access to the e-mail address that is on file. Though we are in a day and age where everyone could obtain and use a "permanent" e-mail address, they do still change when someone uses a work or school address or if they have too much spam and decide to just junk an address and create a new one.
-Michael
Hi,
This is an online banking / credit card website and user id can be anything 6 to 32 chars (no spaces) but has to be a combination of alpha / numerical or special chars.
Email is is only used for notification that your email Id was looked up or password was reset ( user id is not sent in the email)It's the same as with major cards like Bofa / chase / capital one etc
They all allow to change online login id.
Like Justin said , it seemed like a bug to me too but when I look back at how other cards have implemented it , it's pretty much the same.probably because there are no standards enforcing them or password history is not given much importance...
Passwords are stored as salted hash We follow rsa two factor authentication FDIC / FFIEC and pci dss
Thanks
Subin
Sent from my iPhone
On Nov 11, 2011, at 7:54 AM, "Vance, Michael" Michael.Vance@salliemae.com wrote:
I'm looking for the best secure way to manage password
history when an user resets(or creates a new) user id in
a secure pci dss website.
It's a pretty rare website that I've seen that allows someone to
change their username or id once the account has been established.
It's actually very common if the site uses e-mail address as username or if it has a "Forgot User ID" function that uses e-mail to deliver the forgotten ID. There is always the chance that the user no longer has access to the e-mail address that is on file. Though we are in a day and age where everyone could obtain and use a "permanent" e-mail address, they do still change when someone uses a work or school address or if they have too much spam and decide to just junk an address and create a new one.
-Michael
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org