Security enhancements (CORE-283)

[CORE-300] Do not allow current password to be used as new password Created: 29/Mar/18  Updated: 25/Apr/18  Resolved: 12/Apr/18

Status: Resolved
Project: i2b2 Core Software
Component/s: None
Affects Version/s: None
Fix Version/s: 1.7.10

Type: Sub-Task Priority: Major
Reporter: Janice Donahoe Assignee: Janice Donahoe
Resolution: Done Votes: 0
Labels: wikirelease
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 0|i003xb:
Sprint: v1710.1

Currently when a user changes their password they can enter the same password. In other words if their current password is demo, then they can enter demo as their "new" password. In 1.7.10 we introduce a new feature where administrators can enforce mandatory password changes. This bug creates a loophole around the requirement if users are able to reset their password to the same password.

This check will only be relevant to the current password and the new password that they are entering.

Comment by Janice Donahoe [ 12/Apr/18 ]
Tested and is working correctly. When a user is changing their password, the system will verify the new password they are entering is not the same as their current password.
Generated at Fri Jan 28 12:21:02 UTC 2022 using JIRA 7.6.3#76005-sha1:8a4e38d34af948780dbf52044e7aafb13a7cae58.