Validating a password hasn't been used for at least 1 year...
25 views
Skip to first unread message
Mel Riffe
Feb 20, 2012, 10:46:56 AM2/20/12
to auth...@googlegroups.com
Howdy Everyone,
I'm starting to work in a requirement for a client that wants to keep people from using the same password over and over; they've stated the requirement that a password can only be used once in a year's timeframe.
I know this isn't directly supported by Authlogic; it's not even specific to Authlogic. But, I figured: since we're using Authlogic and I don't want to store plain text passwords and I need a way to compared encrypted passwords, why not see if Authlogic can help me out.
Background: This is for a Rails 2.3.x app and I'm using Authlogic 2.1.6. Unfortunately I'm not in a position to upgrade to a newer version of Rails.
The general approach I'd like to take is:
* create a HistoricalPassword model; define a has_many :historical_passwords on User (crypted_password, user_id, timestamps)
* encrypt the password when HistoricalPassword is instantiated
* create a validation that verifies the new password hasn't been used since 'password_changed_at' - 1.year
Questions:
1) After perusing the code it looks like a new password_salt is generated when ever a new password is set. Is this true? I have a feeling this will come into play when I'm comparing passwords.
2) How do I gain access to the default crypto without going directly to it?
3) Is there anything I should be considering or that I'm missing?
Thanks, in advance, for any help I receive!
Cheers,
Mel
I'm starting to work in a requirement for a client that wants to keep people from using the same password over and over; they've stated the requirement that a password can only be used once in a year's timeframe.
I know this isn't directly supported by Authlogic; it's not even specific to Authlogic. But, I figured: since we're using Authlogic and I don't want to store plain text passwords and I need a way to compared encrypted passwords, why not see if Authlogic can help me out.
Background: This is for a Rails 2.3.x app and I'm using Authlogic 2.1.6. Unfortunately I'm not in a position to upgrade to a newer version of Rails.
The general approach I'd like to take is:
* create a HistoricalPassword model; define a has_many :historical_passwords on User (crypted_password, user_id, timestamps)
* encrypt the password when HistoricalPassword is instantiated
* create a validation that verifies the new password hasn't been used since 'password_changed_at' - 1.year
Questions:
1) After perusing the code it looks like a new password_salt is generated when ever a new password is set. Is this true? I have a feeling this will come into play when I'm comparing passwords.
2) How do I gain access to the default crypto without going directly to it?
3) Is there anything I should be considering or that I'm missing?
Thanks, in advance, for any help I receive!
Cheers,
Mel
Reply all
Reply to author
Forward
0 new messages