Password Reuse Prevention - hmislk/hmis GitHub Wiki

Language: English ยท เทƒเท’เถ‚เท„เถฝ

Password Reuse Prevention

Overview

To enhance security, HMIS includes functionality to prevent users from reusing old passwords. This feature is configurable, allowing system administrators to enable or disable it based on organisational policy.

Configuration

The behaviour is controlled by two Application Config Options:

Key Type Default Effect
prevent_password_reuse Boolean false When true, blocks reuse of any password in the user's recent history
password_history_limit Integer 5 How many of the most recent previous passwords are checked

The key is all-lowercase with underscores (prevent_password_reuse). It is not the friendlier "Prevent Password Reuse" form sometimes shown in screenshots.

Edit these from Administration โ†’ Manage Institutions โ†’ Application Options, then click Reload Config.

For the full list of password and login security keys (strength, expiration, forced reset, session timeout), see Password and Login Security Configuration.

How It Works

  1. Password History Tracking Each time a user successfully changes their password, the system stores a hash of the old password in the database, linked to that user.

  2. Validation During Password Change When a user attempts to change their password:

    • The new password is hashed.
    • If Prevent Password Reuse is enabled, the hash is checked against the stored history.
    • If a match is found, the system rejects the change with a clear error message.
  3. Last Password Reset Timestamp Along with history, the system updates the field lastPasswordResetAt for audit and expiration logic. This ensures that monthly expiration checks remain in sync with the new security rule.

  4. System Feedback If a disallowed password is attempted:

    • The system informs the user that the new password matches a previously used one and cannot be set.

Example Workflow

  • Prevent Password Reuse = true

    • User changes password from Pass@123 โ†’ Pass@456 โ†’ Pass@789.
    • Later, attempting to reuse Pass@123 will be blocked.
  • Prevent Password Reuse = false

    • Same sequence as above, but reusing Pass@123 is allowed.

Related Features

  • Username Check โ€” controlled by Prevent matching password with username
  • Complexity Rules โ€” controlled by Enforce password complexity (default regex requires uppercase, lowercase, digit, and special character, min 8 chars)
  • Expiration โ€” controlled by Enable password expiration + Set password expiration period (days) (default 30 days when enabled)
  • Admin-Forced Reset โ€” controlled by Allow admin to force password change

See Password and Login Security Configuration for the full configuration reference.

References

Back