[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: [WEB SECURITY] Fwd: What's the best way to maintain password
From: Subin <subin.net () gmail ! com>
Date: 2011-11-10 23:40:46
Message-ID: 2C304FAF-1A93-4521-9606-030D75A3EFE3 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
> From: Subin <subin.net@gmail.com>
> Date: November 10, 2011 3:22:13 PM EST
> To: "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org>
> Subject: [WEB SECURITY] What's the best way to maintain password history?
>
> I'm looking for the best secure way to manage password history when an user \
> resets(or creates a new) user id in a secure pci dss website.
> Should we maintain single user Id per account and wipe out or overwrite the \
> existing user Id and password history . (this defeats the purpose of maintaining a \
> password history as the user can always reuse the same Id and password)
> Or
>
> Should we create a new second user Id
> Associated to this account and make sure the previous Userid is not used again ? In \
> this case should we map the old password history to new one or let the user use his \
> previous passwords on the new id?
> This is on top of the rsa two factor authentication , the credentials referred here \
> are what is stored in the application database to enforce password history(passmark \
> authentication does not enforce password history)
> Please advise ,
>
> Thanks
> Subin
>
> Sent from my iPhone
>
>
[Attachment #5 (unknown)]
<html><head></head><body bgcolor="#FFFFFF"><div><br></div><div><br></div><blockquote \
type="cite"><div><b>From:</b> Subin <<a \
href="mailto:subin.net@gmail.com">subin.net@gmail.com</a>><br><b>Date:</b> \
November 10, 2011 3:22:13 PM EST<br><b>To:</b> "<a \
href="mailto:websecurity@lists.webappsec.org">websecurity@lists.webappsec.org</a>" \
<<a href="mailto:websecurity@lists.webappsec.org">websecurity@lists.webappsec.org</a>><br><b>Subject:</b> \
<b>[WEB SECURITY] What's the best way to maintain password \
history?</b><br><br></div></blockquote><div></div><blockquote \
type="cite"><div><span>I'm looking for the best secure way to manage password history \
when an user resets(or creates a new) user id in a secure pci dss \
website.</span><br><span></span><br><span>Should we maintain single user Id per \
account and wipe out or overwrite the existing user Id and password history \
.</span><br><span>(this defeats the purpose of maintaining a password history as the \
user can always reuse the same Id and \
password)</span><br><span></span><br><span>Or</span><br><span></span><br><span>Should \
we create a new second user Id </span><br><span>Associated to this account and make \
sure the previous Userid is not used again ? In this case should we map the old \
password history to new one or let the user use his previous passwords on the new \
id?</span><br><span></span><br><span>This is on top of the rsa two factor \
authentication , the credentials referred here are what is stored in the application \
database to enforce password history(passmark authentication does not enforce \
password history)</span><br><span></span><br><span>Please advise \
,</span><br><span></span><br><span>Thanks</span><br><span>Subin</span><br><span></span><br><span>Sent \
from my iPhone</span><br><span></span><br><span></span><br></div></blockquote></body></html>
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic