On 21/01/2010 11:07, Lucio Chiappetti wrote:
> On Tue, 19 Jan 2010, Tompkins Neil wrote:
>> I can enforce that the user can't use the same password as the
>> previous four
>> - when they change their password. However, the user can manipulate
>> this by
>> changing the password four times and then resetting back to there
>> password. How would I overcome this problem ? Any thoughts or
>> recommendations ?
> Probably if your users do that, it means they (rightfully) consider A
> DAMN NUISANCE the fact to be compelled to change password. Abandon the
> I share their feeling about forcing this change of passwords, and cannot
> see almost no real life application (unless perhaps one is a spy) which
> really require this degree of security !
The real life application most commonly encountered where this is
necessary is where your organisation wishes to process credit card or
other financial data, and needs to be certified as PCI compliant by the
banks and card companies in order to be able to process payments via
their systems. One of the requirements of PCI compliance is that any
login which has access to financial data must have the password changed
regularly, with restrictions on reusing recent passwords.
Now, you may well argue that the PCI requirements are wrong in this
respect, and if so then a lot of people may well agree with you :-)
However, unless you are a huge multinational and able to negotiate your
own terms with the banks, disagreeing with the requirements doesn't
alter the need to comply with them - at least, not if you want to be
able to use their payment APIs.