My Oracle Support Banner

E-SEC: Password History Is Not Restricting Previously Used Passwords (Doc ID 2358457.1)

Last updated on FEBRUARY 28, 2018

Applies to:

PeopleSoft Enterprise PT PeopleTools - Version 8.56 and later
Information in this document applies to any platform.

Symptoms

On : 8.56 version, Security

ACTUAL BEHAVIOR
---------------
Password History not restricting previously used passwords

After upgrading to PT 8.56.05, users are able to reuse a password previously used within the "Passwords to Retain" count. Currently "Passwords to Retain" set to 6.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Navigate to PeopleTools-> Security-> Password Configuration-> Password Controls
2. Set “Passwords to Retains” = 6

3. Save and restart application server
- Note: Any changes to the password controls require the application server to be restarted.
4. Sign on as user: CALEXANDER: CALEXANDER1
5. Navigate to “Change My Password”
6. Enter new Password (e.g. Password1)

7. Sign out
8. Sign in as CALEXANDER with new password (Password1)
9. Navigate back to "Change My Password".
10. Enter new Password (e.g. Password2)
11. Sign out
12. Sign in as CALEXANDER using new password (Password2)
13. Navigate back to "Change My Password".
14. Enter Password used previously from step #6 (Password1)
15. Message confirms “Your password has successfully been changed.”

16. However, with password controls enabled the user should receive an error that password was previously used; however, Password1 is accepted and saved.
17. Sign out
18. Sign on as CALEXANDER using new password (Password1) - this verifies that previously used password is valid.



Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.