Open in app

Sign in

Write

Sign in

Password History Management in WSO2 Identity Server.

Isura Karunaratne
3 min readMay 10, 2019

--

Image by threatpost.com

The purpose of this blog is to describe what password history feature is, the security aspect of it and how this feature is implemented in the WSO2 Identity Server.

What is password History Mangement?

Password history management is a policy which prevents to use passwords which were used in recent history. Ex. Prevent to use last 5 passwords. Refer to this documentation for more details about password history feature in WSO2 Identity Server.

Try out the Feature

Refer to this for official WSO2 Identity Server documentation to try out the feature.

Why is it required to manage password history?

Recording and enforcing password history, we can provide better security for user accounts. When there is a password leakage or password stolen, people tend to reset their password with a new one. In the future date, there is a possibility to change the password back to the leaked password. Password history feature prevents to use passwords which were used in recent history and provide better security.

Implementation.

  • This feature is implemented as an Event Hander in WSO2 Identity Server. Refers to this for more details about the eventing framework.
  • The latest source code of the PasswordHistoryValidationHandler can be found in this link.

wso2-extensions/identity-governance

Contribute to wso2-extensions/identity-governance development by creating an account on GitHub.

github.com

  • This handler is subscribed to the following EVENTs by default.

PRE_UPDATE_CREDENTIAL
PRE_UPDATE_CREDENTIAL_BY_ADMIN
POST_UPDATE_CREDENTIAL
POST_UPDATE_CREDENTIAL_BY_ADMIN
POST_ADD_USER
POST_DELETE_USER

  • Password history data are stored in IDN_PASSWORD_HISTORY_DATA table in identity database which can be configured in <IS_HOME>/repository/conf/identity/identity.xml file.
  • Identity Server stored a salted hash of the password in IDN_PASSWORD_HISTORY_DATA table. This hashing function is configurable and it can be configured in <IS_HOME>/repository/conf/identity/identity-event.properties file as follows. So, the default hashing algorithm is SHA-256

passwordHistory.hashingAlgorithm=SHA-256

  • If there is a requirement to modify/improve password history storing mechanism, it can be done by customizing the PasswordHistoryDataStore. This custom class can be configured in <IS_HOME>/repository/conf/identity/identity-event.properties file as follows.

passwordHistory.dataStore=org.wso2.carbon.identity.password.history.store.Impl.DefaultPasswordHistoryDataStore

  • PasswordHistoryValidationHandler is responsible for storing and managing passwords histories.
  • When any of the following Event is triggered, the Identity Server stores the new password’s salted hash into the IDN_PASSWORD_HISTORY_DATA table.

POST_UPDATE_CREDENTIAL
POST_UPDATE_CREDENTIAL_BY_ADMIN
POST_ADD_USER

  • When any of the following Event is triggered, the Identity Server validates the password history before changing the password in the system. It calculates the salted hash and checks whether the salted hash in exiting in IDN_PASSWORD_HISTORY_DATA table for the same user in the same tenant. If there is a record, Identity Server prevents password modification.

PRE_UPDATE_CREDENTIAL
PRE_UPDATE_CREDENTIAL_BY_ADMIN

  • When POST_DELETE_USER event is triggered, Identity Server removes the existing password history records for the particular user from the IDN_PASSWORD_HISTORY_DATA table.

Is it secure to store old passwords?

  • Yes. It is secured.
  • Identity doesn’t store plain text passwords. It stored the salted hash of the passwords. Therefore it prevents password rainbow attack as well.
  • Password hash function and storing mechanism are configurable If an organization needs its own way of storing the passwords history, that is possible.

Improvements for password history feature.

  • One of the improvements for this feature is to support time-based password history. For example, Identity Server can prevent using last 5 used passwords as the new password. But it is not time bound.
  • There can be a requirement like preventing reusing the passwords which were used in the last 3 months
  • Also, there can be a requirement like preventing reusing last 5 passwords or the passwords which were used in the last 3 months.

Troubleshooting Tips

If you want to troubleshoot this feature enable the debug logs of the following package. You have to add the following debug line sto[WSO2_IS_HOME]\repository\conf\log4j.properties file and restart the server to print debug logs in the following packages.

log4j.logger.org.wso2.carbon.identity.governance=DEBUG

log4j.logger.org.wso2.carbon.identity.password.history=DEBUG

Security
Wso2
Wso2is
Password History
Password Hash

--

--

Isura Karunaratne

Written by Isura Karunaratne

133 Followers

Senior Software Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams