Since midPoint 3.6 the password policy entries will be stored in a hashed form. The history entries were stored in encrypted form in midPoint 3.5.1 and earlier. Storing password history in hashed form is more secure. However it will prohibit application of password policies that depend on approximate likeness of new password and historical passwords. Only exact matches will be possible if password history is stored in a hashed form. The password history storage scheme can be set in the security policy configuration.
Existing password reuse
Password policy This feature is available since in midPoint 4.3 .4.1. However, slightly different setting has to be used to enable it. It was enabled in password policy (value policy):
When password history is enabled, once the password was set it can never be reused again by default. That perfectly makes sense for many scenarios. Now think of a situation, that you synchronize password to 10 different resources using the focus password as your source. One of the resources throws network error, password is not changed there, while 9 other resources got password propagated nicely. Focus password is saved as well and history appended. Now what you want to do is set password to the failed resource again. In the default scenario, you cannot do that, since password is already in the history and cannot be reused. Luckily we have a option in midPoint to allow that under certain circumstances.
The option historyAllowExistingPasswordReuse allows en existing focus password (last set password) to be reused and set again to the same value as the new password. However, when maxAge constraint is set, value cannot be reused after existing password has expired. If set to false, user must always provide fresh password when setting the new password. This setting is effective only when historyLength > 0. Default behaviour is that reuse is not allowed (setting is false).
<credentials> <password> <historyLength>10</historyLength><passwordHistoryLength>10</passwordHistoryLength>
<historyAllowExistingPasswordReuse>true</historyAllowExistingPasswordReuse> <maxAge>P180D</maxAge> </lifetime>
</credentials> </valuePolicy>This setting is deprecated since midPoint 3.6.
Password Storage Schemes
This feature is available in midPoint 3.6 and later