Uploaded image for project: 'Syncope'
  1. Syncope
  2. SYNCOPE-1337

Password history policy is not enforced on salted passwords

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.9, 2.1.0
    • Fix Version/s: 2.0.10, 2.1.1, 3.0.0
    • Component/s: core
    • Labels:
      None

      Description

      1. Define a password policy and set history to a value > 0 (even 1 is good).
      2. Set configuration parameter password.cipher.algorithm to a salted algorithm, say SSHA512 for example.
      3. Create and user with a password.
      4. Try to edit (more times if you like, in order to populate password history) user by changing the password (password management or edit wizard) to the same value or a value that you are sure that is in the password history (to trigger the policy). You'll see that the password is updated to the already used value and the history policy is not triggered.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ilgrosso Francesco Chicchiriccò
                Reporter:
                andrea.patricelli Andrea Patricelli
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: