Validating Password History¶
WSO2 Identity Server enables restricting the user from re-entering recently used passwords as a new password. For example, if we have set this configuration to 5, the user will not be able to re-use any of the five most recently used passwords when setting a new password.
Scenario¶
Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. Sam, who is an administrator at Pickup, wants to restrict users from re-using the three most recently used passwords when setting a new password.
Set up¶
Follow the steps below to define the password policy that Sam wants to enforce.
Before you begin
-
Sign in to the WSO2 Identity Server Management Console at
https://<SERVER_HOST>:9443/carbon
as an administrator.
-
On the Main menu of the Management Console, click Identity > Identity Providers > Resident.
-
Under Password Policies, click Password History.
-
Enter the required values as given below.
Field Description Sample Value Enable Password History Feature This enables password history validation. Selected Password History validation count This defines after how many password updates the user can re-use an old password. 3
Try out¶
-
To create the user:
-
On the Main menu of the Management Console, click Identity > Users and Roles > Add.
-
Click Add New User.
-
Enter
Alex
as the user name andtestwso2is
as the password. -
Click Finish.
-
-
To assign login permissions to the user:
-
Click the View Roles option of Alex.
-
Click Permissions.
-
Select Login and click Update.
-
-
To change the password:
-
Access WSO2 Identity Server My Account portal at
https://localhost:9443/myaccount/
. -
Log in with the credentials of the user account that you created.
-
Under Security, click Change your password.
-
Enter
testwso2is
in Current Password, New Password, and Confirm Password text boxes. -
Click Update. An error message appears.
-
To mimic three consecutive password changes, change Alex's password to the following sequentially.
test123
test234
test345
Note that these passwords get successfully added to the system.
-
Now, change Alex's password back to
testwso2is
. Note that the password gets successfully changed.
-