Can SecureLogin track password history e.g. new password is the same as the old password?

  • Document ID:7940199
  • Creation Date:19-Aug-2009
  • Modified Date:08-Jan-2014
    • Micro Focus Products:
      SecureLogin

Environment

SecureLogin
SecureLogin SSO
All Versions

Situation

Question

How can SecureLogin keep track of previously used passwords? I want to keep a password history to prevent users from simply making their new password the same as their old password or several previous old passwords. However, the application is unable to maintain a password history natively.

Resolution

Answer

SecureLogin can assist application owners and/or security officers by enforcing a password history on an application that is unable to do so natively, enhancing the security of the application and assisting organizations to meet auditing requirements.

When an application’s password expires, SecureLogin is able to detect the message and react accordingly. SecureLogin can keep track of previously used passwords by creating an application definition that stores the previously used passwords. The new password is then compared to the password history when the user attempts to change their password.

See the demo script for the password test application below. 

#================================================================# 
# ID: PasswordText.Exe #
# Name: SSO Demo Application # 
# Type: Windows # 
# # # Script Version: 1.1 #
# Created By: MKeefe 29 Sep 2004 # 
# Last Updated By: MCarroll 10 Jan 2007 # 
#================================================================# 
# Logon Prompt # 
#===============# 
Dialog Title ""Login"" 
Class ""#32770"" EndDialogSetPrompt ""Username ===>"" Type $Username #1001 SetPrompt ""Password ===>"" 
Type $Password #1002 
SetPrompt ""Domain ===>"" 
Type $Domain #1003 
Click #1

#================================# 
# Change Password Dialog Window # 
#================================#
Dialog 
Title "Change Password"" 
Class "#32770" 
EndDialog
#============================# 
# Call PwdHistory SubRoutine # 
#============================# 
Call "PwdHistory"
#===============================================================#
# Enter UID/PWD in appropriate fields and enter/verify new pwd # #===============================================================# 
Type $Username #1015 
Type $Password #1004 
Delay 50 
Type ?NewPassword #1005 
Type ?NewPassword #1006 
Click #1
#================================================================# 
# PWD Change Succesful & Password History variables are updated # #================================================================# Dialog Title "Change Successful"
Class "#32770" 
EndDialog
Click #2 
Set $Password_Old5 $Password_Old4 
Set $Password_Old4 $Password_Old3 
Set $Password_Old3 $Password_Old2 
Set $Password_Old2 $Password_Old1 
Set $Password_Old1 $Password 
Set $Password ?NewPassword 
MessageBox "Password has been changed Successfully and will be remembered by SecureLogin for future logons."
#===============================================================# 
# If the ChangePassword failed the PwdHistory Routine is called # #===============================================================# 
Dialog 
Title "Change Failure" 
Class "#32770"
EndDialog
Click #2 
MessageBox "You Failed to Change Password. Please try again."
Call "PwdHistory" 
Type -Raw $Username 
Type -Raw \T
Type -Raw $Password 
Type -Raw \T 
Type -Raw ?NewPassword 
Type -Raw \T 
Type -Raw ?NewPassword 
Type -Raw \T 
Type -Raw \N
#==================================================================# 
# This is a demo application & PWD must be reset to ""single"" when 
# application is restarted. # 
#==================================================================# 
Dialog 
Title Password Test Application
Class #32770
EndDialog 
Set $Password single

#============================================================================================# 
# If it is the first time changing password, the old password variables are temporarily set. # 
# When a user changes their password, the password history starts building # #============================================================================================# 
If -Exists $Password_Old1 
Else Set $Password_Old1 null 
Set $Password_Old2 null 
Set $Password_Old3 null 
Set $Password_Old4 null 
Set $Password_Old5 null 
EndIf
#=======================# 
#PwdHistory SubRoutine # 
#=======================# 
Sub PwdHistory 
Repeat 
ChangePassword ?NewPassword 
If ?NewPassword Eq $Password 
Set ?PwdUsedBefore ""Yes"" 
Else If ?NewPassword Eq $Password_Old1 
Set ?PwdUsedBefore ""Yes"" 
Else If ?NewPassword Eq $Password_Old2 
Set ?PwdUsedBefore ""Yes"" 
Else If ?NewPassword Eq $Password_Old3 
Set ?PwdUsedBefore ""Yes"" 
Else If ?NewPassword Eq $Password_Old4 
Set ?PwdUsedBefore ""Yes"" Else If ?NewPassword Eq $Password_Old5 
Set ?PwdUsedBefore ""Yes"" Else Set ?PwdUsedBefore ""No"" 
EndIf 
EndIf 
EndIf 
EndIf 
EndIf 
If ?PwdUsedBefore Eq ""Yes"" 
MessageBox ""The password that you have chosen is a previous used password. Please choose another password. It must be different from your last 5 passwords."" 
Else Break 
EndIf 
Delay 50 
EndRepeat 
EndSub

NOTE: If an application is able to enforce password history natively, this is the preferred method so the application owner controls the application’s behavior using the application’s features. If the application can enforce the history, SecureLogin can easily be configured to see the messages triggered by the application and respond to them. For example, when the user attempts to enter a password that is the same as an old password, the application would return a change password failure message that SecureLogin can read and interpret. SecureLogin can then prompt the user to retry with a new password (or even randomly generate one on the user’s behalf).