List:General Discussion« Previous MessageNext Message »
From:Mark Goodge Date:January 21 2010 11:42am
Subject:Re: Record old passwords ?
View as plain text  
On 21/01/2010 11:07, Lucio Chiappetti wrote:
> On Tue, 19 Jan 2010, Tompkins Neil wrote:
>
>> I can enforce that the user can't use the same password as the
>> previous four
>> - when they change their password. However, the user can manipulate
>> this by
>> changing the password four times and then resetting back to there
>> original
>> password. How would I overcome this problem ? Any thoughts or
>> recommendations ?
>
> Probably if your users do that, it means they (rightfully) consider A
> DAMN NUISANCE the fact to be compelled to change password. Abandon the
> idea.
>
> I share their feeling about forcing this change of passwords, and cannot
> see almost no real life application (unless perhaps one is a spy) which
> really require this degree of security !

The real life application most commonly encountered where this is 
necessary is where your organisation wishes to process credit card or 
other financial data, and needs to be certified as PCI compliant by the 
banks and card companies in order to be able to process payments via 
their systems. One of the requirements of PCI compliance is that any 
login which has access to financial data must have the password changed 
regularly, with restrictions on reusing recent passwords.

Now, you may well argue that the PCI requirements are wrong in this 
respect, and if so then a lot of people may well agree with you :-) 
However, unless you are a huge multinational and able to negotiate your 
own terms with the banks, disagreeing with the requirements doesn't 
alter the need to comply with them - at least, not if you want to be 
able to use their payment APIs.

Mark
Thread
Record old passwords ?Tompkins Neil18 Jan
  • Re: Record old passwords ?SH18 Jan
  • Re: Record old passwords ?Carsten Pedersen18 Jan
  • Re: Record old passwords ?Colin Streicher19 Jan
    • Re: Record old passwords ?John Meyer19 Jan
      • RE: Record old passwords ?Daevid Vincent20 Jan
        • Re: Record old passwords ?Jørn Dahl-Stamnes20 Jan
          • Re: Record old passwords ?Tompkins Neil22 Jan
            • Re: Record old passwords ?Suresh Kuna27 Jan
    • Re: Record old passwords ?Carlos Proal19 Jan
      • Re: Record old passwords ?Tompkins Neil19 Jan
        • Re: Record old passwords ?Tompkins Neil19 Jan
          • Re: Record old passwords ?Mark Goodge19 Jan
            • Re: Record old passwords ?John Meyer21 Jan
              • RE: Record old passwords ?Jerry Schwartz21 Jan
          • Re: Record old passwords ?Lucio Chiappetti21 Jan
            • Re: Record old passwords ?Mark Goodge21 Jan
        • Re: Record old passwords ?Mark Goodge19 Jan
Re: Record old passwords ?Tompkins Neil19 Jan