Alpha Video Training
Results 1 to 13 of 13

Thread: Password restricted re-use : does it work?

  1. #1
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,829

    Default Password restricted re-use : does it work?

    I've done quite a bit of testing on the Security Framework option to restrict password re-use and find it not working. See image. In my tests, I have set the Restrict Re-Use to a value of 1 which is supposed to disallow re-use of the existing password. But upon trial, I can reset my password to the exiting value no problem. I have also tried setting that value to 8, and same result, I can re-use any password.

    I believe the web file that contains these settings is Project.SecuritySettings and I have made sure this file is newly published.

    Has anyone successfully used this option?
    Attached Images Attached Images
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  2. #2
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,829

    Default Re: Password restricted re-use : does it work?

    I figured part of this out. Alpha has a Change Your Password option that is built into the Login dialog. You can toggle that on in Security Framework. That method does work to restrict the password from re-use. But the method where you reset the security details from a UX component, using Action Scripting, that seems not to take restricting re-use in to account. I will turn in as a bug after more testing.

    Now, there is no way I can use Alpha's Change Your Password feature that is attached to the Login Dialog - and no one else should either. It does not use an email sent to the user to validate they are who they say they are. Same with Alpha's other password recover options. All of them are outdated. I have my own Password Reset feature that does it correctly with a confirmation email.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  3. #3
    Volunteer Moderator Steve Workings's Avatar
    Real Name
    Steve Workings
    Join Date
    Apr 2000
    Location
    The Dreaded Chair
    Posts
    5,597

    Default Re: Password restricted re-use : does it work?

    I'd like to resurrect this thread.

    Steve and I have a custom UX for login and password recovery/re-setting that uses Alpha's security functions to work with Alpha's security framework.

    But we're having a growing number of users attempting to re-set their password, entering one of the restricted password (last 4 not allowed) and moving along with apparent success. That is, until they attempt to use their "new" password that doesn't exist because the re-use restriction policy actually prevented the resetting of the password.

    The problem is there seems no way to catch this or be able to inform the user.

    When using a restricted password with a5ws_Save_WebUser_Values(), no error is produced.

    There doesn't seem to be a function we might use to check for restriction before proceeding. Something like a5ws_passwordrestricted(uservalue.userid, password).

    So, right now we just have users who thought they re-set their password, eventually figure out they did not and file a ticket with support.

    Anyone figure out how to manage this?
    -Steve


  4. #4
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,829

    Default Re: Password restricted re-use : does it work?

    I worked this out for a client that wanted to restrict to not allow the last 20 password uses and will dig that up.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  5. #5
    "Certified" Alphaholic kkfin's Avatar
    Real Name
    Kenneth
    Join Date
    Dec 2006
    Location
    EU
    Posts
    1,535

    Default Re: Password restricted re-use : does it work?

    This kind of restrict just leads users to use same base password + number for example password12 and next time password13 and so on. It is the only way to survive of the current password madness in companies.

    Ken

  6. #6
    "Certified" Alphaholic glenschild's Avatar
    Real Name
    Glen Schild
    Join Date
    Apr 2000
    Location
    Frome, Somerset, UK
    Posts
    1,510

    Default Re: Password restricted re-use : does it work?

    I am using a ux component which restricts the reuse of x number of passwords. When it expires they click a change password link on the component (which they can do at any time) enter the old password, enter the new password twice and if successful they get a positive response, if it fails they get the invalid password response as set in the web security configuration. I have not seen any issues with it accepting a restricted password.
    Glen Schild



    My Blog


  7. #7
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,829

    Default Re: Password restricted re-use : does it work?

    Ken, I totally agree (my client made me do it). It is similar to how my wife always hides the garage key in a different location each time - so as to confound the thief who might be trying to find it.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  8. #8
    Volunteer Moderator Steve Workings's Avatar
    Real Name
    Steve Workings
    Join Date
    Apr 2000
    Location
    The Dreaded Chair
    Posts
    5,597

    Default Re: Password restricted re-use : does it work?

    Glen - sounds like you're using the "out of the box" login component, or at least something much closer to the OEM than we are. We've customized quite a bit. We use a system like you see at IADN where you request to change your password, you're sent an email link, etc.
    -Steve


  9. #9
    "Certified" Alphaholic mikeallenbrown's Avatar
    Real Name
    Mike Brown
    Join Date
    Nov 2009
    Location
    United States
    Posts
    1,823

    Default Re: Password restricted re-use : does it work?

    I'm using a UX I made for login purposes. The password restriction is working for me. My users enter the old password and a new password twice. The button to submit is just {dialog.object}.submit();. My afterDialogValidate server-side event only has ExecuteServerSideAction("Change Web Security Password::Change_Web_Security_Password") in it. In web security configuration password restricted re-use in checked.

    Edit: I'm not using the login component. This UX is entirely my design.
    Mike Brown - Contact Me
    Programmatic Technologies, LLC
    Programmatic-Technologies.com
    Independent Developer & Consultant

  10. #10
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,829

    Default Re: Password restricted re-use : does it work?

    But Mike, no one does it that way today. Best Practice is to send an email to registered address, force them to verify, then change their password.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  11. #11
    "Certified" Alphaholic mikeallenbrown's Avatar
    Real Name
    Mike Brown
    Join Date
    Nov 2009
    Location
    United States
    Posts
    1,823

    Default Re: Password restricted re-use : does it work?

    Quote Originally Posted by Steve Wood View Post
    But Mike, no one does it that way today. Best Practice is to send an email to registered address, force them to verify, then change their password.
    Of course and if my clients want that I'll make it happen. New apps I'm creating do just that but my older apps from years ago do not and those people don't want to pay for it.
    Mike Brown - Contact Me
    Programmatic Technologies, LLC
    Programmatic-Technologies.com
    Independent Developer & Consultant

  12. #12
    "Certified" Alphaholic glenschild's Avatar
    Real Name
    Glen Schild
    Join Date
    Apr 2000
    Location
    Frome, Somerset, UK
    Posts
    1,510

    Default Re: Password restricted re-use : does it work?

    Quote Originally Posted by Steve Workings View Post
    Glen - sounds like you're using the "out of the box" login component, or at least something much closer to the OEM than we are. We've customized quite a bit. We use a system like you see at IADN where you request to change your password, you're sent an email link, etc.
    Pretty much although I am just adding a email out to the user confirming that their password has just been changed. The login is on a ux component and the change password is a separate ux component.
    Glen Schild



    My Blog


  13. #13
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,018

    Default Re: Password restricted re-use : does it work?

    Glen,
    Are you using the new "context.security" methods, the old A5WS functions or the crazy Server-Side Action scripting to change the password?


    I have switched all my stuff to the "context.security" methods, but I have put a restriction on password re-use.

Similar Threads

  1. Why would the Recover Password not Work
    By Turnbullca in forum Application Server Version 11 - Web/Browser Applications
    Replies: 2
    Last Post: 12-21-2011, 11:47 AM
  2. Reserved Dbs are restricted
    By Leah in forum Alpha Five Version 9 - Desktop Applications
    Replies: 3
    Last Post: 03-10-2011, 01:44 PM
  3. Security - Change Your Password - Restricted Re-Use
    By iviowa in forum Application Server Version 10 - Web/Browser Applications
    Replies: 1
    Last Post: 06-30-2010, 04:53 PM
  4. Password function doesn't work. Windows XP
    By Richard Christiansen in forum Alpha Five Version 1
    Replies: 2
    Last Post: 05-23-2002, 07:54 PM
  5. Restricted use
    By Kevin McNamara in forum Alpha Five Versions 2 and 3
    Replies: 0
    Last Post: 12-13-2000, 12:37 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •