icingaweb2 icon indicating copy to clipboard operation
icingaweb2 copied to clipboard
verified publisher icon Icinga

Forbid a new own password to be the old one

Open Al2Klimov opened this issue 4 months ago • 2 comments

Is your feature request related to a problem? Please describe.

As a CISO, one can already SELECT name, coalesce(mtime, ctime) AS mtime FROM icingaweb_user ORDER BY coalesce(mtime, ctime) and force users to change too old passwords.

To keep their passwords, "smart" users could use their old password as new password.

Describe the solution you'd like

Simply forbid the latter in ChangePasswordForm. It has both passwords as I have to submit both to change my password.

Describe alternatives you've considered

@nilmerg pointed out there are even "smarter" users which would just change their password twice in a row to keep the old password.

To prevent this, we'd need a Vorratsdatenspeicherung of all old passwords.

Additional context

This is explicitly not part of #4401 (unless, of course, we allow e.g Levenshtein distance to prevent the "smartest" users from using passwords similar their to old ones 🙈) because:

  • If I want to keep my old password, I just don't change it
  • If I force users to change it regularly, I expect them to actually change the password, i.e not using old ones – so the framework should just do it if possible

Al2Klimov avatar Aug 22 '25 14:08 Al2Klimov

In my opinion, it would also be sufficient to store the last three passwords or keep a hash so that this can be prevented. All in all, that should help. And if necessary, extra care should be taken with very smart users ;-)

mwaldmueller avatar Aug 28 '25 09:08 mwaldmueller

store the last three passwords or keep a hash

Hash sounds good! I definitely don't want anyone to know one of my previous passwords was e.g never_gonna_give_you_up_69

Al2Klimov avatar Aug 28 '25 10:08 Al2Klimov