Maintain a password history to avoid re-using an old password
Bug #1613266 reported by
Paul Everitt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
KARL4 |
Fix Released
|
Medium
|
Carlos de la Guardia |
Bug Description
"keep the last 5-10 passwords"
Let's keep the last 10 passwords for a user and, if they do a password change that matches any of those 10, we throw a form validation error of "Please use a password that was not previously used".
For the implementation:
- Let's store the password hashes, obviously
- Change the "set new password" view to push the just-changed hash onto the list
- Maintain a dumb persistent python list, doesn't need to be anything fancy
tags: |
added: auth removed: gsasync |
Changed in karl4: | |
milestone: | 022 → 023 |
Changed in karl4: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I changed this to 10 instead of five. Also, I previously made some noise about password reset being stashed on password history. But actually, we don't put a random password on the user for password reset, so nothing special needed there.