Uploaded image for project: 'UY'
  1. UY
  2. UY-825

Do not store password history entries with outdated hash

    Details

    • Type: Task
    • Status: Done
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: v2.8.0
    • Labels:
      None

      Description

      Currently Unity can be configured to keep previous passwords. Those are never rehashed. Two changes are needed to improve security in case of compromised passwords database:

      • Whenever hashing policy is changed, all historical passwords with other settings must be removed. This should be done when changing password settings.
      • Whenever history length is changed, all historical entries which are above the new threshold must be removed immediately.

      The changes also require migration, to remove excess or wrongly hashed historical hashes.

        Attachments

          Activity

            People

            • Assignee:
              golbi Krzysztof Benedyczak
              Reporter:
              golbi Krzysztof Benedyczak
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: