Skip to content

Validating Password History

WSO2 Identity Server enables restricting the user from re-entering recently used passwords as a new password. For example, if we have set this configuration to 5, the user will not be able to re-use any of the five most recently used passwords when setting a new password.

Password History


Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. Sam, who is an administrator at Pickup, wants to restrict users from re-using the three most recently used passwords when setting a new password.

Set up

Follow the steps below to define the password policy that Sam wants to enforce.

Before you begin

  1. Run WSO2 Identity Server.

  2. Sign in to the WSO2 Identity Server Management Console at https://<SERVER_HOST>:9443/carbon as an administrator.

  1. On the Main menu of the Management Console, click Identity > Identity Providers > Resident.

    Resident Identity Provider menu-item

  2. Under Password Policies, click Password History.

    Passwrod History option

  3. Enter the required values as given below.

    Passwrod History form

    Field Description Sample Value
    Enable Password History Feature This enables password history validation. Selected
    Password History validation count This defines after how many password updates the user can re-use an old password. 3

Try out

  1. To create the user:

    1. On the Main menu of the Management Console, click Identity > Users and Roles > Add.

    2. Click Add New User.

    3. Enter Alex as the user name and testwso2is as the password.

    4. Click Finish.

  2. To assign login permissions to the user:

    1. Click the View Roles option of Alex.

      View Roles option

    2. Click Permissions.

      Role Permissions option

    3. Select Login and click Update.

      Login permission

  3. To change the password:

    1. Access WSO2 Identity Server user portal at https://localhost:9443/user-portal/.

    2. Log in with the credentials of the user account that you created.

      Sign In form

    3. Under Security, click Change your password.

      Change Passwrod option

    4. Enter testwso2is in Current Password, New Password, and Confirm Password text boxes.

      Change Password form

    5. Click Update. An error message appears.

      Passwrod History Validation error message

    6. To mimic three consecutive password changes, change Alex's password to the following sequentially.

      • test123
      • test234
      • test345

      Note that these passwords get successfully added to the system.

    7. Now, change Alex's password back to testwso2is. Note that the password gets successfully changed.