Skip to main content

Prevent users from re-using old passwords

A particularly useful strength rule, not be an old password prevents or warns users against reusing old passwords. This ensures that, if a user’s password was divulged in the past, it will not constitute a threat in the future.

Click below to view a demonstration.

This rule is implemented as follows:

  • Passwords are stored in the history database table.

    Users’ passwords are cryptographically hashed . Data includes the profile ID, account ID, target ID, the time the password was modified, and by whom.

  • Bravura Security Fabric enforces password history by matching the newly requested password against all passwords used by that user on all target systems within the selected target system group. If there is a match, Bravura Security Fabric rejects the new password request.

  • Users can select a password that was used on target systems in a target system group other than the ones selected for password change.

  • If used in conjunction with the have password rules apply to the first N characters rule, new passwords will be historically compared on only the first N characters.

  • Passwords in the history table that are older than a certain number of days may be accepted by Bravura Security Fabric if that has been configured by the password rule allow old passwords after N days.

  • Whenever a password is successfully changed by Bravura Security Fabric , it is added to the history table. This includes passwords changed by:

    • Users of the Change passwords (PSS) module

    • help desk users using the Help users (IDA) module

    • The Password Manager service (IDPM)

Warning

The number of days for allow old passwords after N days must be greater than the number of days for password must be changed every N days.

The recommended setting is that N = 6 x maximum age; for example, password must be changed every N days set to 30 days, and allow old passwords after N days set to 180 days.

If configured incorrectly, users are able to reset and "change" their password using their existing password.

Warning

Bravura Security Fabric does not test prospective passwords against the target system's password history. Reset operations may fail due to the target system rejecting a password it identifies as being reused. Bravura Security Fabric only identifies passwords changed through the password change (PSS), transparent synchronization (idpm ) or help desk (IDA) module.

By default, Active Directory expires passwords every 42 days, and does not allow users to use the last 10 passwords. This means users will not be able to reuse a password until the 11th reset minimum, assuming they only change their password when it expires. The setting password must be changed every N days only prompts users to change their passwords when they login to Bravura Security Fabric . For use cases where Bravura Security Fabric is only accessed when users lock themselves out or forget their password, this setting is not practical. This might be the case, for example, when password synchronization is configured to be triggered from Active Directory (transparent synchronization).

In this section: