Where OS store password history?

I need to confirm that user cannot use the same password over and over again?

And does OS has password configurable expiration duration? I want user password to expire within let's say 30 days.

Solution

Eric Halim wrote:

I need to confirm that user cannot use the same password over and over again?

And does OS has password configurable expiration duration? I want user password to expire within let's say 30 days.

Hi Eric, 

This feature is not native in OS.  You should customize Login feature to do that. 

You could create an entity to store User, PasswordHash and expiration dates.And create a timer to expurge the oldest records after the last N passwords for the ame user , according your policy.

Your CustomLogin could be check if the password is expired and request a the change. And your ChangePassword screen could do the history check to avoid repeat passwords.


Best Regards

Fabio Fantato

 


Solution

Hey Eric,


OS stores users data in "User" Entity which is in System. So if you want to use maintain history you need to extend User Entity and create your own Entity. And create records whenever user updates password create a record and use those records in future to full fill your requirement..


Thanks

Ramakrushna Rao Seera

Ah I see... thanks I was thinking this kind of stuff is standard and maybe OS has already builtin feature for this.

Fábio Fantato wrote:

Eric Halim wrote:

I need to confirm that user cannot use the same password over and over again?

And does OS has password configurable expiration duration? I want user password to expire within let's say 30 days.

Hi Eric, 

This feature is not native in OS.  You should customize Login feature to do that. 

You could create an entity to store User, PasswordHash and expiration dates.And create a timer to expurge the oldest records after the last N passwords for the ame user , according your policy.

Your CustomLogin could be check if the password is expired and request a the change. And your ChangePassword screen could do the history check to avoid repeat passwords.


Best Regards

Fabio Fantato

 



Hi Fabio,


Regarding your proposed solution, a password hash is not generated the same for 2 equal passwords, so how would you check if the password was repeated in this case? 

I see OS does not provide a decrypt password function to get the text value back


Kind regards,

Lorena

Hi Lorena,

I've recently implemented a solution, so we are able to expire a password after a configurable amount of days, the new password needs to meet certain complexity rules and cannot be the same password as the last n used passwords, where n is configurable.

You indeed have to save every password in a new table. As mentioned note that saving the same password multiple times results in different hashes because random salts are used.

With the ValidatePassword function in the PlatformPasswordUtils extention, you can 

Validates a password against the expected salted password hash.

So you can check the new plain text password with the stored password hashes of previous passwords, If you have a match you know that the new password has already been used.

It is a bit more complex because OutSystems stores passwords different depending on you configuration. You can have a look at how passwords are stored in the Users espace to get an idea.


I can check with my client if I can share our solution and publish it in the Forge.