Issue on implementing password history check

Issue on implementing password history check

  

Hi all, 


I'm trying to implement password policies as follow:

1. min. length

2. with complexity

3. retries and lockout

4. password history - cannot use the same passwords from before


All of 1~3 work perfectly but 4 is a hassle. We have done proof of concept and works fine in personal environments. However, in the enterprise environment, seems every password change, even if it's the exact same password, results in a different encrypted piece of data. This means, we are unable to match the previously changed passwords. 


Can someone please point me in the right direction in resolving this? are there any common way to implement such password policies? are there any configuration in enterprise level that differs from personal environments so we can work things out please?


Thank you in advance!


Connie

Nothing available out of the box in outsystems as far as I know. But the passwords(hashed I assume) are available in the User table. You can just keep those somewhere in a table every time user resets the password. And then run a simple logic to check if the latest one matches anything from the history table. 


Surely not the optimal solutions. But all I could think of now. 


Cheers.

Thanks Tushar, 


Yes, we have done exactly that in our personal environment as a proof of concept. Works perfectly.


However, when we tried to implement it into our system in an enterprise environment, it doesn't work. Every password changed results in a different hash key, even with the exact original same password. Are there any settings that I can refer to please?

Connie wrote:

Thanks Tushar, 


Yes, we have done exactly that in our personal environment as a proof of concept. Works perfectly.


However, when we tried to implement it into our system in an enterprise environment, it doesn't work. Every password changed results in a different hash key, even with the exact original same password. Are there any settings that I can refer to please?


They might be using different salt for hashing the password each time. Not able to see the salt stored anywhere in my personal or enterprise environment. Sorry have nothing more as of now. Will let you know if I get anything. 

Tushar Panpaliya wrote:

Connie wrote:

Thanks Tushar, 


Yes, we have done exactly that in our personal environment as a proof of concept. Works perfectly.


However, when we tried to implement it into our system in an enterprise environment, it doesn't work. Every password changed results in a different hash key, even with the exact original same password. Are there any settings that I can refer to please?


They might be using different salt for hashing the password each time. Not able to see the salt stored anywhere in my personal or enterprise environment. Sorry have nothing more as of now. Will let you know if I get anything. 

Thanks Tushar, I'll keep digging. 


Solution

Hi Connie,

Out of the box there are 3 ways of hashing password in Outsystems. One in Users > EncryptPassword and 2 on PlatformPasswordUtils > GenerateSaltedMD5Hash and GenerateSaltedSHA512Hash. And you can use ValidatePassword to check if the passwords are the same. Only GenerateSaltedSHA512Hash the hash can be different for the same pssword because the salt is different in every call.

Can you explain better what are you doing and which actions you are using for hashing and validate the password?

Regards,

Marcelo




Solution

Marcelo Ferreira wrote:

Hi Connie,

Out of the box there are 3 ways of hashing password in Outsystems. One in Users > EncryptPassword and 2 on PlatformPasswordUtils > GenerateSaltedMD5Hash and GenerateSaltedSHA512Hash. And you can use ValidatePassword to check if the passwords are the same. Only GenerateSaltedSHA512Hash the hash can be different for the same pssword because the salt is different in every call.

Can you explain better what are you doing and which actions you are using for hashing and validate the password?

Regards,

Marcelo




Thank you so much, Marcelo! We have succeeded in matching the hashed passwords for implementing password history control.