Where OS store password history?
Question

I need to confirm that user cannot use the same password over and over again?

And does OS has password configurable expiration duration? I want user password to expire within let's say 30 days.

mvp_badge
MVP
Solution

Eric Halim wrote:

I need to confirm that user cannot use the same password over and over again?

And does OS has password configurable expiration duration? I want user password to expire within let's say 30 days.

Hi Eric, 

This feature is not native in OS.  You should customize Login feature to do that. 

You could create an entity to store User, PasswordHash and expiration dates.And create a timer to expurge the oldest records after the last N passwords for the ame user , according your policy.

Your CustomLogin could be check if the password is expired and request a the change. And your ChangePassword screen could do the history check to avoid repeat passwords.


Best Regards

Fabio Fantato

 


Fábio Fantato wrote:

Eric Halim wrote:

I need to confirm that user cannot use the same password over and over again?

And does OS has password configurable expiration duration? I want user password to expire within let's say 30 days.

Hi Eric, 

This feature is not native in OS.  You should customize Login feature to do that. 

You could create an entity to store User, PasswordHash and expiration dates.And create a timer to expurge the oldest records after the last N passwords for the ame user , according your policy.

Your CustomLogin could be check if the password is expired and request a the change. And your ChangePassword screen could do the history check to avoid repeat passwords.


Best Regards

Fabio Fantato

 



Hi Fabio,


Regarding your proposed solution, a password hash is not generated the same for 2 equal passwords, so how would you check if the password was repeated in this case? 

I see OS does not provide a decrypt password function to get the text value back


Kind regards,

Lorena

Hey Eric,


OS stores users data in "User" Entity which is in System. So if you want to use maintain history you need to extend User Entity and create your own Entity. And create records whenever user updates password create a record and use those records in future to full fill your requirement..


Thanks

Ramakrushna Rao Seera

Ah I see... thanks I was thinking this kind of stuff is standard and maybe OS has already builtin feature for this.

mvp_badge
MVP

Hi Lorena,

I've recently implemented a solution, so we are able to expire a password after a configurable amount of days, the new password needs to meet certain complexity rules and cannot be the same password as the last n used passwords, where n is configurable.

You indeed have to save every password in a new table. As mentioned note that saving the same password multiple times results in different hashes because random salts are used.

With the ValidatePassword function in the PlatformPasswordUtils extention, you can 

Validates a password against the expected salted password hash.

So you can check the new plain text password with the stored password hashes of previous passwords, If you have a match you know that the new password has already been used.

It is a bit more complex because OutSystems stores passwords different depending on you configuration. You can have a look at how passwords are stored in the Users espace to get an idea.


I can check with my client if I can share our solution and publish it in the Forge.


Hi Killian,

Your solution would exactly be what I need, but I am not getting the expected result. 

I already implemented a table that holds the userId, hashed password and date of creation and inactive since date. I want to use this to be able to check if the newly entered password has not been used in the last N months and if the new entered password is not the same as the currently active password (since that may have not yet expired, I don't want it to update). 

I am trying to use the ValidatePassword from the PlatformPasswordUtils. 

To check if the new password is not the same as what is stored I use a local var for new password and the GetUser.Password from the Database. When I enter the same password I still get a false result. Same happens when checking the old passwords. 

Any idea on how to fix this?


Max

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.