14

I have a requirement to force a user to change password after 90 Days. This is working fine with something like the below:

if (memberUser.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date)
{
     return RedirectToAction("MyChangePasswordMethod", "MyController");
}

However another requirement that I have is that the last 5 passwords a user has used cannot be repeated - does asp.net come with anything like this built in? I cant see anything in the aspnet db table where last previous passwords are stored. Will it be a matter of me storing the last password values in my own db table and then doing a compare against the new password field entered against the values for the user in my own custom db table?

Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
Ctrl_Alt_Defeat
  • 3,933
  • 12
  • 66
  • 116
  • 1
    Yes, you have to do it by your own but you don't need to create any _custom_ DB table to store old passwords/hashes, simply use a profile property (where you store old passwords/hashes in a, for example, comma separated list). – Adriano Repetti Feb 25 '13 at 11:03
  • No, asp.net membership does not have this feature. You will have to implement it. But don't store passwords, store hashes. – Anri Feb 25 '13 at 11:02

1 Answers1

20

As you've spotted there's nothing built in so you'll have to store the previous passwords - make sure they're hashed or encrypted - for a user and check that list to make sure they aren't reusing one. Make sure you use the same salt for the hashing/encryption otherwise you'll never get a match for the same password.

I'd store all their previous passwords. This means you don't have to clear old data out of the table when they hit 5 changes and if the requirement changes to not reuse the last 10 or 15 changes you'll have the data. If you also store the date the password was changed you can build in a check to say no reuse in the last 12 months instead.

As you are storing the hashed/encrypted password and checking against that there's no chance of getting the plain text version out of your system.

I'd have a table of "UserId", "Password" and "DateChanged". Then you can find the last N passwords for this user and compare the hashed/encrypted version of the new password against this list:

var encryptedPassword = MembershipProvider.EncryptPassword(password);
int numberOfReuse = 5;  // or configurable
var historiesQuery = (from histories in dataContext.GetTable<PasswordHistory>()
                      where histories.UserId == userId
                      orderby histories.PasswordDate descending
                      select histories.Password).Take<string>(numberOfReuse);

return historiesQuery.Contains<string>(enycryptedPassword);

This returns true if the password has been used already.

To do the date based check:

var encryptedPassword = MembershipProvider.EncryptPassword(password);
DateTime testDate = DateTime.Now.AddMonths(-12);  // configurable
var historiesQuery = (from histories in dataContext.GetTable<PasswordHistory>()
                      where histories.UserId == userId
                      and histories.PasswordDate >= testDate
                      orderby histories.PasswordDate descending
                      select histories.Password);

return historiesQuery.Contains<string>(enycryptedPassword);
ChrisF
  • 134,786
  • 31
  • 255
  • 325
  • Many thanks for your edits - was not aware of the MembershipProvider.Encrypt method - will this work if I have used password with salt as my format? (i.e. password format in my membership table in aspnet db is 1) – Ctrl_Alt_Defeat Feb 25 '13 at 11:54
  • 1
    @KOL - I'm just double checking that for myself :) – ChrisF Feb 25 '13 at 11:55