My Oracle Support Banner

E-SEC: Password History Is Not Restricting Previously Used Passwords (Doc ID 2358457.1)

Last updated on FEBRUARY 04, 2019

Applies to:

PeopleSoft Enterprise PT PeopleTools - Version 8.56 and later
Information in this document applies to any platform.

Symptoms

On : 8.56 version, Security

ACTUAL BEHAVIOR
---------------
Password History not restricting previously used passwords

After upgrading to PT 8.56.05, users are able to reuse a password previously used within the "Passwords to Retain" count. Currently "Passwords to Retain" set to 6.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Navigate to PeopleTools-> Security-> Password Configuration-> Password Controls
2. Set “Passwords to Retains” = 6

3. Save and restart application server
- Note: Any changes to the password controls require the application server to be restarted.
4. Sign on as user: <LOGIN>: <PASSWORD>
5. Navigate to “Change My Password”
6. Enter new Password <e.g. Password1>

7. Sign out
8. Sign in with new password <Password1>
9. Navigate back to "Change My Password".
10. Enter new Password (e.g. Password2>
11. Sign out
12. Sign in using new password <Password2>
13. Navigate back to "Change My Password".
14. Enter Password used previously from step #6 <Password1>
15. Message confirms “Your password has successfully been changed.”

16. However, with password controls enabled the user should receive an error that password was previously used; however, Password1 is accepted and saved.
17. Sign out
18. Sign on using password <Password1> - this verifies that previously used password is valid.



Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.