Reputation: 7818
Change passwords every 90 days for ASP.Net to help PCIDSS
I'm completing the PCIDSS assessment.
The requirements state passwords must be changes at least every 90 days, and be different from any of the previous 4 passwords.
I'm not certain whether this is for access to the server, or to the application I provide to users on the server.
If it's the latter - is there anyway of enforcing this in an ASP.Net 3.5/4 web application, and in an MVC4 web application?
Thanks, Mark
Upvotes: 1
Views: 2345
Answers (4)
Reputation: 129
'I m not certain whether this is for access to the server, or to the application I provide to users on the server.
generally PCIDSS focus on server so .. this is for the access to the server.
Upvotes: -1
Reputation: 107267
For your first requirement, Asp.Net Membership has a property MembershipUser.LastPasswordChangedDate which you can then hook into your login like so:
if (Membership.ValidateUser(userName, password))
{
MembershipUser theUser = Membership.GetUser(userName);
if (theUser.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date)
{
// Inform user password expired + redirect user to change password screen
}
FormsAuthentication.SetAuthCookie(userName, rememberMe);
}
The second requirement (viz cannot be the same as the last 4 passwords) you will need to implement yourself. At a suggestion, create a new table UserPasswordHistory foreign keyed back to aspnet_User.UserId with a containing a password hash, which gets inserted every time the user changes his/her password. You can then compare the hash of the new password with the previous 4 and reject accordingly.
Upvotes: 1
Reputation: 24430
Is this for an in house application? If so, consider integration with LDAP/Active Directory (assuming that's being used for your network passwords). That can then take care of the password rules (i.e. tracking what's been used before, making sure passwords are sufficiently complex & different from previous ones & enforcing change frequency). It also means your users won't have to remember/keep in synch multiple passwords, which they'll thank you for.
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
Upvotes: 1
Reputation: 457
You could save the passwords in another table, along with the date created. That would be fairly straightforward
Upvotes: 0
Related Questions
- How to setup password expiration using ASP.NET Identity Framework
- ASP.NET membership password expiration
- Changing password asp.net identity
- Password change every 90 days in MVC and SQL Server
- Ad Asp.Net Changing Passwords
- password expiration policy for already logged in users
- ASP.NET basic authentication change password option after expiration
- asp.net membership custom change of passwords by users and admins
- membership change password
- How to implement dynamic changing password for this scenario?