Prevent SSO users from resuing an old password as their new password
Bug #1055739 reported by
Joey Stanford
This bug affects 3 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical SSO provider |
Won't Fix
|
Wishlist
|
Unassigned | ||
Bug Description
Hi,
Please enhance SSO such that it prevents a ~canonical user from reusing an old password.
PCI-DSS requires us to prevent the previous 4 passwords from being used. Ideally we should also prevent any passwords used within the last 24 months as per good IT security best practice.
Thanks.
| Changed in canonical-identity-provider: | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
Revision history for this message
| Daniel Manrique (roadmr) wrote | #1 |
| Changed in canonical-identity-provider: | |
| status: | Confirmed → Won't Fix |
To post a comment you must log in.
From Payment Card Industry (PCI) Data Security Standard, v3.2.1:
8.2.4 Change user passwords/
8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/
This hasn't been an issue in 7 years, so I'll mark WONTFIX until we get a specific requirement from e.g. legal to whip ourselves up into full PCI DSS compliance.