E-SEC: Password History Is Not Restricting Previously Used Passwords
(Doc ID 2358457.1)
Last updated on FEBRUARY 04, 2019
Applies to:PeopleSoft Enterprise PT PeopleTools - Version 8.56 and later
Information in this document applies to any platform.
On : 8.56 version, Security
Password History not restricting previously used passwords
After upgrading to PT 8.56.05, users are able to reuse a password previously used within the "Passwords to Retain" count. Currently "Passwords to Retain" set to 6.
The issue can be reproduced at will with the following steps:
1. Navigate to PeopleTools-> Security-> Password Configuration-> Password Controls
2. Set “Passwords to Retains” = 6
3. Save and restart application server
- Note: Any changes to the password controls require the application server to be restarted.
4. Sign on as user: <LOGIN>: <PASSWORD>
5. Navigate to “Change My Password”
6. Enter new Password <e.g. Password1>
7. Sign out
8. Sign in with new password <Password1>
9. Navigate back to "Change My Password".
10. Enter new Password (e.g. Password2>
11. Sign out
12. Sign in using new password <Password2>
13. Navigate back to "Change My Password".
14. Enter Password used previously from step #6 <Password1>
15. Message confirms “Your password has successfully been changed.”
16. However, with password controls enabled the user should receive an error that password was previously used; however, Password1 is accepted and saved.
17. Sign out
18. Sign on using password <Password1> - this verifies that previously used password is valid.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document