[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: Re: [Opendj] RE : Password policies
From: Ludovic Poitou <ludovic.poitou () forgerock ! com>
Date: 2014-04-16 13:20:04
Message-ID: CAL60-Kha5w8046skY5bhLdksv7Wtxw85LntL1_jTWVbbvbRmpg () mail ! gmail ! com
[Download RAW message or body]
Ok, I can see the value, but if we were to add such feature, I would
also conditioned it to a time limit, i.e. only check old passwords
that have been changed within the last hour or so (configurable
limit).
Ludo
On Wed, Apr 16, 2014 at 3:16 PM, Major P=E9ter <majorpetya@gmail.com> wrote:
> I believe the purpose of the feature is that the failure count does not g=
et
> incremented when an old password is presented, but it would be still a
> failed BIND attempt (i.e. the user wouldn't get logged in).
>
> cheers,
> Peter
>
> 2014.04.16. 14:13 keltez=E9ssel, Ludovic Poitou =EDrta:
>
>> So my previous email crossed your answer.
>> No OpenDJ will not validate password against previous passwords. IMO,
>> this can be a serious security risk ( especially if a password was
>> reset because it was compromised).
>>
>> Regards,
>>
>> Ludovic.
>>
>> On Wed, Apr 16, 2014 at 3:09 PM, Belleville-Rioux, Vincent
>> <rioux.vincent@uqam.ca> wrote:
>>>
>>> From what I understand, this is something else.
>>>
>>> AD keeps an history (when enabled) of past passwords.
>>>
>>> When a user changes his password, other devices may continue to use the
>>> past
>>> password.
>>>
>>> Those devices may be hammering the directory with the past password, th=
us
>>> counting on the bad password count and eventually locking the user out.
>>>
>>> AD "fixes" this by comparing the bad password with the ones stored in
>>> history (N-2). If there is a match, the bad password count is NOT
>>> incremented at all.
>>>
>>> Vincent
>>>
>>> _______________________________________________
>>> OpenDJ mailing list
>>> OpenDJ@forgerock.org
>>> https://lists.forgerock.org/mailman/listinfo/opendj
>>>
>> _______________________________________________
>> OpenDJ mailing list
>> OpenDJ@forgerock.org
>> https://lists.forgerock.org/mailman/listinfo/opendj
>>
> _______________________________________________
> OpenDJ mailing list
> OpenDJ@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
_______________________________________________
OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic