Password Reuse Prevention - hmislk/hmis GitHub Wiki
Language: English ยท เทเทเถเทเถฝ
Password Reuse Prevention
Overview
To enhance security, HMIS includes functionality to prevent users from reusing old passwords. This feature is configurable, allowing system administrators to enable or disable it based on organisational policy.
Configuration
The behaviour is controlled by two Application Config Options:
| Key | Type | Default | Effect |
|---|---|---|---|
prevent_password_reuse |
Boolean | false |
When true, blocks reuse of any password in the user's recent history |
password_history_limit |
Integer | 5 |
How many of the most recent previous passwords are checked |
The key is all-lowercase with underscores (
prevent_password_reuse). It is not the friendlier "Prevent Password Reuse" form sometimes shown in screenshots.
Edit these from Administration โ Manage Institutions โ Application Options, then click Reload Config.
For the full list of password and login security keys (strength, expiration, forced reset, session timeout), see Password and Login Security Configuration.
How It Works
-
Password History Tracking Each time a user successfully changes their password, the system stores a hash of the old password in the database, linked to that user.
-
Validation During Password Change When a user attempts to change their password:
- The new password is hashed.
- If
Prevent Password Reuseis enabled, the hash is checked against the stored history. - If a match is found, the system rejects the change with a clear error message.
-
Last Password Reset Timestamp Along with history, the system updates the field
lastPasswordResetAtfor audit and expiration logic. This ensures that monthly expiration checks remain in sync with the new security rule. -
System Feedback If a disallowed password is attempted:
- The system informs the user that the new password matches a previously used one and cannot be set.
Example Workflow
-
Prevent Password Reuse = true
- User changes password from
Pass@123โPass@456โPass@789. - Later, attempting to reuse
Pass@123will be blocked.
- User changes password from
-
Prevent Password Reuse = false
- Same sequence as above, but reusing
Pass@123is allowed.
- Same sequence as above, but reusing
Related Features
- Username Check โ controlled by
Prevent matching password with username - Complexity Rules โ controlled by
Enforce password complexity(default regex requires uppercase, lowercase, digit, and special character, min 8 chars) - Expiration โ controlled by
Enable password expiration+Set password expiration period (days)(default 30 days when enabled) - Admin-Forced Reset โ controlled by
Allow admin to force password change
See Password and Login Security Configuration for the full configuration reference.