Password re-use

User passwords are stored using SSHA-256. What is the best way to make functionality which validates, on a password change, if the password isn't used before by the user?
1 answers

Check out this post and this post.

Basically, you need to create a PW Log entity and associate it with the users. Then when setting up a password you call a Java action to verify it hasn't been used before.

Here's an example Java action that I recently made with parameters List of Logs and String password:

    this.logs = new java.util.ArrayList<authentication.proxies.PasswordLog>();
    if (__logs != null)
        for (IMendixObject __logsElement : __logs)
            this.logs.add(authentication.proxies.PasswordLog.initialize(getContext(), __logsElement));

    IContext ctx = getContext();
    for (IMendixObject log : this.__logs)
        MendixHashString pw = (MendixHashString) log.getMember(ctx, "Value");
        //If the password is already in the logs, return false.
        if (pw != null)
            if (pw.verifyValue(ctx, password))
                return false;

    //Password has not been used
    return true;

This will work with salted hashes (SSHA-256). Read the posts for more details.