Prevent SSO users from resuing an old password as their new password
Bug #1055739 reported by
Joey Stanford
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Hi,
Please enhance SSO such that it prevents a ~canonical user from reusing an old password.
PCI-DSS requires us to prevent the previous 4 passwords from being used. Ideally we should also prevent any passwords used within the last 24 months as per good IT security best practice.
Thanks.
Changed in canonical-identity-provider: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
To post a comment you must log in.
From Payment Card Industry (PCI) Data Security Standard, v3.2.1:
8.2.4 Change user passwords/ passphrases at least once every 90 days passphrases he or she has used.
8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/
This hasn't been an issue in 7 years, so I'll mark WONTFIX until we get a specific requirement from e.g. legal to whip ourselves up into full PCI DSS compliance.