I have a requirement to set Password History limit in WSO2 - IS, i.e if my current password is "password1", and if am trying to changing the password with "password1" again, it should not accept.
If I set my password history limit as "3", then the new password should be different from last 3 password for that particular account.
We are using SQL Server as the user store for WSO2.
Also some previous answers for similar question suggests that I need to implement a custom password policy and add it to wso2. Is that true for version WSO2 IS 4.6.0 ?
Also will this policy apply to both "Forgot your password" and "change password" apis of the wso2 sdk? Or only to change password api?
Yes. You are correct. This is not supported by WSO2 Identity Server by default.(Even with latest 5.0.0 version). You need to write a custom password policy implementation by your own to do this. Also, you may need to develop some custom SQL tables to store older password. SQL user store of Identity Server only stores the current password.
Related
We would like to implement the feature of remembering user's passwords in our application similar to how Microsoft SQL Server login credentials are stored.
(nothing to do with SQL server connection)
We researched and found some information on this.
However, it is not clear how the process/flow of encryption/decryption takes place, i.e, how the process of securely saving and matching of password takes place during validation process.Some of the websites also mention that the SQL login passwords can be cracked.
As per this document from Microsoft, Windows DPAPI is also being used in the form of Service Master Key (SMK) to secure data stored in database, but the actual SQL credentials validation flow is not mentioned. (We found this question as well which mentions DPAPI.)
So is there any method where we can store user's application passwords similar to SQLServer's methodology or any other secure method to ensure they are not cracked or decrypted?
We have also read that DPAPI-encrypted passwords can be cracked.
EDIT 11/05/2022:
Added screenshot of SQL Server login page, and made minor edits to content.
I've get a fresh install of SQL Server 2012 and do not want to use integrated security. Instead I'd like to use SQL Server authentication, where I create logins in SQL server and assign passwords. However, this option doesn't seem to be available (see screen snapshot below). Every option available to me under "User Type" (other than those that aren't related to accounts at all) want me to map to existing Windows Domain accounts.
In the old days, I'd specify a desired login name and be prompted for a password to go along with it, and I'd be done. Now there's no option to specify a password--I'm forced to map my new login to an existing
windows domain account. Not what I want. What am I missing here? Thanks in advance.
** edit ** New screen snapshots added after RB's comment. I did indeed have an option disabled that would allow BOTH Windows and SQL Server authentication modes, but it's turned on now. After doing so and restarting SQL Server, it is NOT making a difference:
Here is what I am presented with when I try to create a new user. None of these options simply allow me to create a login and password in the context of SQL server (well, one allows creation of a login with no password at all... useless!) All others are linked to existing Windows logins. Ideas?
Let's do this in a way that doesn't require pictures and right-clicking.
CREATE LOGIN [yourUserName] WITH PASSWORD = 'someStrongPassword';
CREATE USER [yourUserName];
I want to set the username and password on the mongoDB, so that if someone is trying to connect to the mongoDB via, mongo shell he should enter the credentials first, without that he cant login to the database.
Authentication is supported by MongoDB in form of standard (username and password) and Kerberos/LDAP authentication - only available in enterprise commercial versions. These are role based authentication and custom roles can be defined for specific needs.
You must read https://docs.mongodb.org/manual/core/authentication/
I'm creating a login on a Windows Azure SQL Database as described here.
Just a simple question: it mentions on the page that the 'CHECK_EXPIRATION' option is not supported. Am I correct to assume that this mean that no expiration policy is enforced?
I'm just concerned that our Azure app will die one day because the password for our app user has expired :(. Could somebody kindly confirm my assumption and put my mind at rest :)?
Since the default value for CHECK_EXPIRATION is OFF and Windows Azure SQL Database does not support the CHECK_EXPIRATION option, no password expiration policy will be enforced.
Is it possible to retrieve (if the user has sa rights) the password of a user in SQL Server 2008 R2?
The scenario is this: I need to automatically store in a document the list of all usernames and passwords, but without changing the password, just reading the actual password.
Is this possible or not?
Yes you can for SQL logins.
You read the hashed passwords sys.sql_logins (maybe only via the DAC) and use a tool like NGS SQLCrack.
However, there is almost no requirement ever to keep these in a document.
For Windows based logins, no. The password is in AD.
And read this: "What are the arguments for and against a network policy where the sys admin knows users passwords?"