Uploaded image for project: 'i2b2 Core Software'
  1. i2b2 Core Software
  2. CORE-283 Security enhancements
  3. CORE-300

Do not allow current password to be used as new password

Details

    • Sub-Task
    • Status: Resolved
    • Major
    • Resolution: Done
    • None
    • 1.7.10
    • None

    Description

      Currently when a user changes their password they can enter the same password. In other words if their current password is demo, then they can enter demo as their "new" password. In 1.7.10 we introduce a new feature where administrators can enforce mandatory password changes. This bug creates a loophole around the requirement if users are able to reset their password to the same password.

      This check will only be relevant to the current password and the new password that they are entering.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          jmd86 Janice Donahoe created issue -
          jmd86 Janice Donahoe made changes -
          Field Original Value New Value
          Status New [ 10000 ] Open [ 1 ]
          jmd86 Janice Donahoe made changes -
          Fix Version/s 1.7.10 [ 10307 ]
          jmd86 Janice Donahoe made changes -
          Summary Do not allow users to enter the same password when required to change it Do not allow current password to be used as new password
          jmd86 Janice Donahoe made changes -
          Description When users are changing their password their new one should not be the same as their current one. This is especially true now that i2b2 has the ability to enforce mandatory password changes (release 1.7.10).

          This check will only be relevant to the current password and the new password that they are entering.           		Currently when a user changes their password they can enter the same password. In other words if their current password is demo, then they can enter demo as their "new" password. In 1.7.10 we introduce a new feature where administrators can enforce mandatory password changes. This bug creates a loophole around the requirement if users are able to reset their password to the same password.

          This check will only be relevant to the current password and the new password that they are entering.
          jmd86 Janice Donahoe made changes -
          Assignee Mike Mendis [ mem61 ] Janice Donahoe [ jmd86 ]
          jmd86 Janice Donahoe made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          jmd86 Janice Donahoe made changes -
          Status In Progress [ 3 ] Ready to Test [ 10001 ]
          jmd86 Janice Donahoe made changes -
          Status Ready to Test [ 10001 ] Testing [ 10002 ]
          jmd86 Janice Donahoe added a comment -
          Tested and is working correctly. When a user is changing their password, the system will verify the new password they are entering is not the same as their current password.
          jmd86 Janice Donahoe added a comment - Tested and is working correctly. When a user is changing their password, the system will verify the new password they are entering is not the same as their current password.
          jmd86 Janice Donahoe made changes -
          Resolution Done [ 10001 ]
          Status Testing [ 10002 ] Resolved [ 5 ]
          jmd86 Janice Donahoe made changes -
          Labels wikidoc
          jmd86 Janice Donahoe made changes -
          Labels wikidoc wikirelease

          People

            jmd86 Janice Donahoe
            jmd86 Janice Donahoe
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: