Hi,
I need to improve security in a website built on grails.
The requirement is that when a user changes its password, it shouldn't be able to choose from any of the previous N passwords.
Does anyone know a module for this? Should I roll my own?
Any thoughts / tips will be appreciated.
Thanks in advance
It depends on your requirements. There are several security plugins available, for a list see the "Providing login and page level security" heading at http://www.grails.org/Security If you want to role your own just create a domain class that contains old passwords, associate it with a specific user, and if the new password is in the list of old passwords stored in your domain don't allow the user to sue it.
The requirement is that when a user changes its password, it shouldn't be able to choose from any of the previous N passwords.
Please push back on this requirement. It's inane and doesn't improve security a bit. Every time you make users change passwords, you're increasing the odds that they will simply write it down and stick it to their monitor. Preventing them from reusing old passwords makes it even worse.
This is a security "best practice" like bleeding and leaches used to be a medical best practice; everybody was doing it out of ignorance.
It's not difficult to roll your own.
Make use of GORM event beforeSave, check compare the password and either cancel or proceed with the same given the result of the comparison.