To meet the requirements of section 8.2.5 PCI DSS "Prohibit the use of old passwords", a small application has been implemented that will be launched by the system when a user tries to change a password and check if it was used before. #MSW
This a rough draft of the steps I used to import this example into a non-containerized IRIS 2021.1 instance. It would be nice to include a more formal set of instructions for customers who are non in a container or using ZPM. It is really straight forward to import to a local instance, but the instructions for containers and ZPM make it seem like these are the only ways to import the sample.
Step 1: Be logged into github and download PASSWORD.mac
Step 2: Import and compile PASSWORD.mac into the %SYS namespace.
Step 3: Configure the instance to use PASSWORD routine
USER>zn "%SYS"
%SYS>set ss=##class(Security.System).%OpenId("SYSTEM")
%SYS>set ss.PasswordValidationRoutine="CHECK^PASSWORD"
%SYS>write ss.%Save()
1
Step 5: Confirm setting in Management Portal
System Administration > Security > System Wide Parameters > “Password validation routine” should say “CHECK^PASSWORD”
Step 6: Test by making a new password for a user. This logs the password into the secure log location. Then, try to change the password for this user again, but making the password the same as the first one. You should see the error "This password has already been used."