Prevent reuse of the previous user password

Open 01es opened this issue 6 years ago • 1 comments

Description

Often we come across requirements to prevent users from reusing 6 (or some other number) of their previous passwords upon resetting their password.

We've looked into this practice and its rational, and it seems to be archaic. Nova days passwords are stored as hashes (refer wiki page for more details). Storing the history of hashes and their respective salt values, which would be necessary to satisfy such requirement, may potentially even weaken the application security (refer discussion).

Simply preventing reuse of the last password seems to be a better alternative. This issue covers the work to perform the necessary validation upon password reset.

Expected outcome

A bit more secure password reset subsystem.

Jul 10 '19 06:07 01es

Due to use of SSO as a general rule, the priority of this issue is low.

Sep 17 '24 00:09 01es