Jump to content

Topic on Manual talk:$wgPasswordPolicy

Password History Policy

2
Dshinks (talkcontribs)

Hi, We've been experimenting with this feature, and there appears to be no way of enforcing a password history policy.

Something along the lines of "The user cannot use a password that was one of their last 6 passwords."

As it stands, if we were to set a password expiry policy, a user could literally just re-enter their existing password and carry on.

You'd think that would be the most fundamental policy to implement; has anyone else come across anything like this at all - maybe I'm just missing it?

Thanks

Tgr (talkcontribs)

There is nothing stopping you from doing it, you'd just have to store old password hashes somewhere. I don't think there is too much point to it (there is no threat it would mitigate well) but if you really want it, it shouldn't be hard to do. Something like

$wgPasswordPolicy['policies']['default'] = [ 'PasswordCannotBeReused' => true ];
$wgPasswordPolicy['checks']['PasswordCannotBeReused'] = 'MyPasswordPolicyChecks::passwordCannotBeReused';

class MyPasswordPolicyChecks {
    public static function passwordCannotBeReused( $value, User $user, $password ) {
        if ( $value !== true || !$user->getId() ) {
            return true;
        }
        
        $dbr = wfGetDB( DB_REPLICA );
        $oldPassword = $dbr->selectField( 'user', 'user_password', [ 'user_id' => $user->getId() ] );
        
        $pwFactory = new PasswordFactory();
        $pwFactory->init( ConfigFactory::getDefaultInstance() );
        $oldPasswordObject = $pwFactory->newFromCiphertext( $oldPassword );
        return !$oldPasswordObject->equals( $password );
    }
}

(more complex if you want it to work with AuthManager but not by much).

Reply to "Password History Policy"