阻止用户使用最后5个密码? [英] Stop User from using last 5 password?

问题描述

我有一个强制用户在90天后更改密码的要求.可以通过以下方式正常工作:

I have a requirement to force a user to change password after 90 Days. This is working fine with something like the below:

if (memberUser.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date)
{
     return RedirectToAction("MyChangePasswordMethod", "MyController");
}

但是，我的另一个要求是用户不能重复使用最近的5个密码-asp.net是否附带此类内置内容?我在存储最后一个先前密码的aspnet db表中看不到任何内容.是我将最后一个密码值存储在自己的db表中，然后与输入的新密码字段进行比较，然后将其与我自己的自定义db表中的用户值进行比较吗?

However another requirement that I have is that the last 5 passwords a user has used cannot be repeated - does asp.net come with anything like this built in? I cant see anything in the aspnet db table where last previous passwords are stored. Will it be a matter of me storing the last password values in my own db table and then doing a compare against the new password field entered against the values for the user in my own custom db table?

推荐答案

正如您所发现的那样，没有内置任何内容，因此您必须为用户和用户存储以前的密码-确保将它们加密或加密.请检查该列表，以确保它们没有重复使用.确保对哈希/加密使用相同的盐，否则将永远不会获得与该密码相同的匹配项.

As you've spotted there's nothing built in so you'll have to store the previous passwords - make sure they're hashed or encrypted - for a user and check that list to make sure they aren't reusing one. Make sure you use the same salt for the hashing/encryption otherwise you'll never get a match for the same password.

我将存储所有以前的密码.这意味着当它们遇到5个更改时，您不必从表中清除旧数据；如果需求更改为不重用最近的10或15个更改，您将拥有数据.如果您还存储了更改密码的日期，则可以进行检查，说最近12个月内不要重复使用.

I'd store all their previous passwords. This means you don't have to clear old data out of the table when they hit 5 changes and if the requirement changes to not reuse the last 10 or 15 changes you'll have the data. If you also store the date the password was changed you can build in a check to say no reuse in the last 12 months instead.

在存储散列/加密密码并进行检查时，没有机会将纯文本版本从系统中删除.

As you are storing the hashed/encrypted password and checking against that there's no chance of getting the plain text version out of your system.

我要有一个"UserId"，"Password"和"DateChanged"表.然后，您可以找到该用户的最后N个密码，并将新密码的哈希/加密版本与此列表进行比较:

I'd have a table of "UserId", "Password" and "DateChanged". Then you can find the last N passwords for this user and compare the hashed/encrypted version of the new password against this list:

var encryptedPassword = MembershipProvider.EncryptPassword(password);
int numberOfReuse = 5;  // or configurable
var historiesQuery = (from histories in dataContext.GetTable<PasswordHistory>()
                      where histories.UserId == userId
                      orderby histories.PasswordDate descending
                      select histories.Password).Take<string>(numberOfReuse);

return historiesQuery.Contains<string>(enycryptedPassword);

如果已经使用过密码，则返回true.

This returns true if the password has been used already.

这篇关于阻止用户使用最后5个密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！