Hi All,
One of our customers requires that, when setting a user password, the system checks the last 12 previously used passwords and prevents saving the new password if it matches any of them.
During our analysis, we observed that the password history is stored in the QBMPwdHistory table, which keeps the last 12 records. Up to this point, there is no issue. However, since we believe that this validation is not being properly enforced, we decided to implement a custom script.
In the QBMPwdHistory table, passwords are stored as HashValue, but it is unclear which algorithm is used for hashing. We attempted to reverse or interpret these values but were unable to reach a meaningful result. We also identified the system’s built-in script named ADS_PwdValidate and reviewed it; although it utilizes the VI.DB.Passwords libraries, we were still unable to derive a working solution.
Our primary objective is either to hash the newly entered password using the same algorithm and compare it against the stored values, or alternatively, to decrypt the existing password hashes in the QBMPwdHistory table and perform the comparison. The second approach does not seem reliable, but we are considering it as a fallback option if the first approach cannot be implemented.
We would greatly appreciate your assistance on this matter.
