Luiz,
Maybe I'm not reading this correctly, but it seems your history should be wrapped with another variable deciding whether to do ANY history at all. Meaning, it seems like your choices on history here are - save 1 to X number of passwords, or all. What about if I do not want to save any? >From a security perspective, even saving one password from all people in a database (unecrypted especially) it could lead people to pattern matching if the database was somehow exposed. Thanks, Shannon On 2012-06-29 10:57, [email protected] wrote: > Issue #495 has been reported by Luiz Fernando Severnini. > ------------------------- > > * Author: Luiz Fernando Severnini > * Status: New > * Priority: Normal > * Assigned to: > * Category: Self Service Password > * Target version: self-service-password-0.8 > > -Usingo OOP style: > -Add a class to access the database of password history (HistoryDAO.class.php attached) > -Add a class that implements the rule (PasswordHistoryRule.class.php attached) > -Edit the file config/config.inc.php and add setting for the policy, below $pwd_complexity, add: > > # Check for password in history? > $pw_history = true; > # Amount of old password stored - 0 means all passwords > $pw_history_level = 0; > > In password policy array add: > > $pw_policy_config = array( > ... > "pw_history" => $pw_history, > "pw_history_level" => $pw_history_level > ... > ); > > At the end of the file add: > > ## Password history > #PDO connection for password history > //example for SQLite - Make sure apache user has write permission > //$history_db_dsn = "sqlite:db/ldaptoolbox.sqlite3"; > //$history_db_username = "user"; > //$history_db_password = "password"; > //example for MySQL > //$history_db_dsn = "mysql:host=host or ip;dbname=ldaptoolbox"; > //$history_db_username = "user"; > //$history_db_password = "password"; > > //SQLite create table > //$history_sql_create_table = "CREATE TABLE IF NOT EXISTS history (id INTEGER PRIMARY KEY, login VARCHAR(255), password VARCHAR(255), time DATETIME)"; > //MySQL create table > //$history_sql_create_table = "CREATE TABLE IF NOT EXISTS history (id BIGINT NOT NULL AUTO_INCREMENT, login VARCHAR(255), password VARCHAR(255), time DATETIME, PRIMARY KEY (id))"; > > ## Arrays of configs > # for easy share in the app > $history_config = array( > "dsn" => $history_db_dsn, > "username" => $history_db_username, > "password" => $history_db_password, > "sql_create_table" => $history_sql_create_table > ); > > -Edit the file classes/PasswordPolicy.class.php > Change the initializeRules() method: > > private function initializeRules() { > > ... > > $pwd_complexity = $this->policyConfig['pwd_complexity']; > $pw_history = $this->policyConfig['pw_history']; > > ... > > //Rules must be chained, the last one will point to NULL > > if ($pw_history) { > $dao = new HistoryDAO($this->policyConfig, $this->historyConfig); > $nextRule = new PasswordHistoryRule($dao, $nextRule); > $nextRule->setPolicyMessage($this->messages['policyhistory']); > } > > ... > } > > Change showPolicy() method and add the code 'passwordinhistory' to regular expression pattern: > > public function showPolicy($result) { > ... > if ($pwd_show_policy === "onerror") { > if (!preg_match("/tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|notcomplex|passwordinhistory/", $result)) { > return; > } > } > ... > } > > -Edit the file lang/en.inc.php > Below $messages['sameasold'] ... add: > > $messages['sameasold'] = "Your new password is identical to your old password"; > $messages['passwordinhistory'] = "Password has already been used. Choose a new one."; > > Below $messages['policynoreuse'] ... add: > > $messages['policynoreuse'] = "Your new password may not be the same as your old password"; > $messages['policyhistory'] = "The password can't be reused"; > > ------------------------- > > You have received this notification because you have either subscribed to it, or are involved in it. > To change your notification preferences, please click here: http://tools.lsc-project.org/my/account [1] Links: ------ [1] http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
