KARL4

Maintain a password history to avoid re-using an old password

Bug #1613266 reported by Paul Everitt on 2016-08-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL4	Fix Released	Medium	Carlos de la Guardia	KARL4 023 "2016 Sep"

Bug Description

"keep the last 5-10 passwords"

Let's keep the last 10 passwords for a user and, if they do a password change that matches any of those 10, we throw a form validation error of "Please use a password that was not previously used".

For the implementation:

- Let's store the password hashes, obviously

- Change the "set new password" view to push the just-changed hash onto the list

- Maintain a dumb persistent python list, doesn't need to be anything fancy

See original description

Tags:

Paul Everitt (paul-agendaless) on 2016-08-15

tags:

added: auth
removed: gsasync

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2016-08-30:

I changed this to 10 instead of five. Also, I previously made some noise about password reset being stashed on password history. But actually, we don't put a random password on the user for password reset, so nothing special needed there.

description:

updated

Paul Everitt (paul-agendaless) on 2016-09-01

Changed in karl4:
milestone:	022 → 023

Revision history for this message

Carlos de la Guardia (cguardia) wrote on 2016-09-27:

This is ready to test in the same expire_passwords branch as the other work.

Changed in karl4:
status:	New → Fix Committed

Paul Everitt (paul-agendaless) on 2016-10-06

Changed in karl4:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.