Password Expiry permits reusing current password as new password

Question

Password Expiry permits reusing current password as new password

eliotsykes opened this issue 8 years ago · 4 comments

Password expiry allows a user with an expired password to reuse their current password as their new password.

Answer 1 · 2016-04-20T14:14:56.000Z

You can setup the password_archiveable module as a workaround for this bug. This prevented the current password from being set as the new password with the following settings in the initializer:

  # How many passwords to keep in archive
  config.password_archiving_count = 4

  # Deny old password (true, false, count)
  config.deny_old_passwords = true

Answer 2 · 2016-04-20T14:45:36.000Z

Thanks for bringing this up. Using both modules together is the expected way to implement password expiry without password reuse. If this was not clear from the README.md we need to update the documentation.

Answer 3 · 2016-04-20T15:02:13.000Z

Thanks @manno - documented in #177

Answer 4 · 2016-04-20T22:14:23.000Z

this new feature also allow to prevent the reuse of all previous password newer than a X date.

#174