syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (SYNCOPE-1337) Password history policy is not enforced on salted passwords
Date Fri, 13 Jul 2018 14:59:00 GMT


ASF subversion and git services commented on SYNCOPE-1337:

Commit 21c92719cb100bc97a601691d338ab1ca188fc73 in syncope's branch refs/heads/2_1_X from
[;h=21c9271 ]

[SYNCOPE-1337] Do not check password history by simple String comparison, use Encryptor#verify
as authentication does

> Password history policy is not enforced on salted passwords
> -----------------------------------------------------------
>                 Key: SYNCOPE-1337
>                 URL:
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.9, 2.1.0
>            Reporter: Andrea Patricelli
>            Assignee: Francesco Chicchiriccò
>            Priority: Major
>             Fix For: 2.0.10, 2.1.1, 3.0.0
> # Define a password policy and set history to a value > 0 (even 1 is good).
>  # Set configuration parameter password.cipher.algorithm to a salted algorithm, say
SSHA512 for example.
>  # Create and user with a password.
>  # Try to edit (more times if you like, in order to populate password history) user by
changing the password (password management or edit wizard) to the same value or a value that
you are sure that is in the password history (to trigger the policy). You'll see that the
password is updated to the already used value and the history policy is not triggered.

This message was sent by Atlassian JIRA

View raw message