Implementing password history

2025/05/11 8:42 PM

How would you go about setting up a feature to prevent CMS users from reusing the last 5 passwords. In K12 I could modify the functionality in the admin app, I cannot find any documentation to override set, change, and reset password that would allow me to store the hash and prevent re-use.

Environment

Tags:
Xperience Administration ASP.NET Core

Answers

2025/05/11 9:53 PM
Accepted answer

As Kentico is just using ASP.NET Core Identity, you can probably hook into password validation using a custom validator.

I found this blog post which has an example of one:

public class UsernameAsPasswordValidator<TUser> : IPasswordValidator<TUser> 
    where TUser : IdentityUser
{
    public Task<IdentityResult> ValidateAsync(UserManager<TUser> manager, TUser user, string password)
    {
        if (string.Equals(user.UserName, password, StringComparison.OrdinalIgnoreCase))
        {
            return Task.FromResult(IdentityResult.Failed(new IdentityError
            {
                Code = "UsernameAsPassword",
                Description = "You cannot use your username as your password"
            }));
        }
        return Task.FromResult(IdentityResult.Success);
    }
}

You could use this to check for previous hashes? The hashes themselves could be stored before you complete the password change, then these hashes are checked using the above validator.

2025/05/12 1:16 AM

Great points Liam!

Xperience is built on ASP.NET Core and unlike past Kentico products, Xperience tries to use the framework as much as possible.

That way, you don't have to learn some special "Kentico" way of doing things and instead you can leverage the knowledge of ASP.NET Core, its community and open-source ecosystem.

To response this discussion, you have to login first.