Password Expiry permits reusing current password as new password

Question

Password Expiry permits reusing current password as new password

eliotsykes opened this issue 8 years ago · comments

Password expiry allows a user with an expired password to reuse their current password as their new password.

Eliot Sykes · Answer 1 · Wed Apr 20 2016 22:14:56 GMT+0800 (China Standard Time)

You can setup the password_archiveable module as a workaround for this bug. This prevented the current password from being set as the new password with the following settings in the initializer:

  # How many passwords to keep in archive
  config.password_archiving_count = 4

  # Deny old password (true, false, count)
  config.deny_old_passwords = true

Mario Manno · Answer 2 · Wed Apr 20 2016 22:45:36 GMT+0800 (China Standard Time)

Thanks for bringing this up. Using both modules together is the expected way to implement password expiry without password reuse. If this was not clear from the README.md we need to update the documentation.

Eliot Sykes · Answer 3 · Wed Apr 20 2016 23:02:13 GMT+0800 (China Standard Time)

Thanks @manno - documented in #177

Mathieu Jobin · Answer 4 · Thu Apr 21 2016 06:14:23 GMT+0800 (China Standard Time)

this new feature also allow to prevent the reuse of all previous password newer than a X date.

#174