We have started that per policies at our institution. We never store plain passwords, though. We store passwords and a password history as MD5 hashes, then just do a quick MD5() on what they entered and what they have in the DB.
We also have all the same restrictions you've listed (3 types of characters/numbers, length, password expiry, etc.). It's taken some amount of effort, but we've deployed them as internal web services so all apps use the same rules, no exceptions. And if we decide to change the rules, we do it once and it's done. My 2ยข, Lincoln -----Original Message----- From: Mik Muller [mailto:[EMAIL PROTECTED] Sent: Thursday, February 08, 2007 1:15 PM To: CF-Talk Subject: RE: Validate Password Nice piece of work. And I learned a thing or two, too. On question: wouldn't the query below just check to see if the password had been used three times site-wide? Wouldn't you want to also check that it wasn't used by the user in question? I know it wasn't stated in the list, but I'm inferring that would be a requirement. This also assumes that the user management functionality includes a vehicle for forcing changing your password every x number of days, and also validates that the current password works for that particular username. There has to be a correlation. And a theoretical question... do people generally store their user's previous passwords in a list? Michael At 11:22 AM 2/8/2007, you wrote: >This can't be done on the client-side, of course, because you're >checking the password history. > >How about this: > ><cffunction name="isValid" returntype="boolean" output="no"> > <cfargument name="fieldValue" type="string" /> > <cfset var local=structNew() /> > <cfset local.isValid=0 /> > > <cfquery name="chkPwrdHist" datasource="myDSN"> > SELECT TOP 3 * > FROM [pwrdTbl] > WHERE [pwrd]=<cfqueryparam >value="#arguments.fieldValue#" /> > ORDER BY [setDate] DESC > </cfquery> > <cfif chkPwrdHist.recordCount eq 3><cfreturn false /></cfif> > > <cfif len(arguments.fieldValue) lt 8 or >len(arguments.fieldValue) gt 127><cfreturn false /></cfif> > > <cfif REFind("[A-Z]+",arguments.fieldValue)><cfset >local.isValid=local.isValid+1 /></cfif> > <cfif REFind("[a-z]+",arguments.fieldValue)><cfset >local.isValid=local.isValid+1 /></cfif> > <cfif REFind("[0-9]+",arguments.fieldValue)><cfset >local.isValid=local.isValid+1 /></cfif> > <cfif REFind("[\W_]+",arguments.fieldValue)><cfset >local.isValid=local.isValid+1 /></cfif> > <cfif local.isValid lt 3><cfreturn false /></cfif> > <cfreturn true /> ></cffunction> -------- Michael Muller Admin, MontagueMA.net Website work (413) 863-0030 cell (413) 320-5336 skype: michaelBmuller http://www.MontagueMA.net Eschew Obfuscation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269200 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
