On 1/19/2010 7:49 AM, Mark Goodge wrote:
On 19/01/2010 14:44, Tompkins Neil wrote:
Hi All,
Following on from my earlier email - I've the following question now :
I can enforce that the user can't use the same password as the
previous four
- when they change their password. However, the user can manipulate
this by
changing the password four times and then resetting back to there
original
password. How would I overcome this problem ? Any thoughts or
recommendations ?
Store the date/time that the password was changed, and as well as not
alllowing one within the past four passwords you can also disallow one
that was last used within the past N days, for whatever value of N you
prefer.
Mark
Keep in mind that if you do this you may be setting yourself up for
other security risks (people writing down passwords, etc). If a
security measure gets in the way of the right people's ability to access
the environment, they will find a way to circumvent it--and screw over
your pci compliance in the process.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
