Design for saving old passwords for authentication
https://stackoverflow.com//questions/25001915
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've a requirement that when resetting a password, new password should be different from old passwords. I'm thinking of designing this as a User object having multiple Password objects and the Password object containing userId, password and createdDate.
When a password is reset, it will check the new password against all old passwords (except the latest password) for the user and if match is found, it will be discarded.
If it's not already in the list of old passwords, it will create a new entry in the Password list for the user. When a user logs in, the system should check for the latest password based on createdDate.
Just wanted to check your thoughts on this design and see if there's a better way to do this. Thanks.
Solution
(except the latest password)
Why are you not checking it against the latest password? Please note that you have mentioned this step before you've actually stored the new password. so you should check it against all old passwords.
This sounds fine, however your Password property should be a salted and hashed password, not the actual password in plain text.
You should choose a standard (i.e. strong and proven) algorithm such as PBKDF2 or bcrypt.
