• Developer Zone
• Lists Home
• FAQ

On 1/19/2010 7:49 AM, Mark Goodge wrote:
> On 19/01/2010 14:44, Tompkins Neil wrote:
>> Hi All,
>>
>> Following on from my earlier email - I've the following question now :
>>
>> I can enforce that the user can't use the same password as the
>> previous four
>> - when they change their password. However, the user can manipulate
>> this by
>> changing the password four times and then resetting back to there
>> original
>> password. How would I overcome this problem ? Any thoughts or
>> recommendations ?
>
> Store the date/time that the password was changed, and as well as not
> alllowing one within the past four passwords you can also disallow one
> that was last used within the past N days, for whatever value of N you
> prefer.
>
> Mark
>


Keep in mind that if you do this you may be setting yourself up for 
other security risks (people writing down passwords, etc).  If a 
security measure gets in the way of the right people's ability to access 
the environment, they will find a way to circumvent it--and screw over 
your pci compliance in the process.