Skip links

Enforcing Password History in Your AD to Curb Password Reuse



IT security professionals have long recommended that password policies be configured in a way that prevents users from reusing their old passwords.

Netwrix for example, recommends that your password history policy be set up to remember at least the 10 most recent passwords for each user. Similarly, Microsoft recommends configuring the password history to remember the last 24 passwords.

Unfortunately, password re-use is a prevalent end-user behavior that isn’t likely to go away anytime soon. In fact, 65% of end-users openly admit to reusing the same password for one or more (or all!) of their accounts.

How Password History Can Help

NIST, Microsoft, and others are now recommending against forced, periodic password changes. Requiring users to change their passwords for no other reason than because “it’s time” often reduces password security.

When users are required to frequently change their passwords they are more inclined to use weak passwords, write their passwords down, or to engage in other risky behavior due to a burnout or frustration effect.

The flip side to this is that if an organization that adheres to these password best practices forces users to change their passwords, there is usually a good reason why. The password may have been compromised or the organization’s security team may believe that there is a threat that justifies a password change.

This is where password history comes into play. Unless an organization enforces a password history requirement, a user could skirt the rules by changing their password and then immediately changing back to their original password.

As far as the system is concerned, the user has satisfied the password change requirement. Of course, this puts the organization at risk, just as if the user had never changed their password at all.

Password history requirements discourage this type of behavior by making it more difficult for a user to reuse their old password. Such a policy causes Windows to keep track of recently used passwords in an effort to prevent them from being used again.

Implementing Password Change History

Windows makes it easy to add a password history requirement to an existing password policy.

To do so, begin by opening the group policy object containing the existing password policy.

Next, navigate through the Group Policy Management Editor’s console tree to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

Now, double click on the Enforce Password History setting, shown in Figure 1, and then choose the number of passwords that you want Windows to remember.

Click OK to complete the process.

Figure 1 Password history requirements can be implemented at the group policy level.

Why Password Change History Alone Isn’t Enough

Although configuring Windows to remember a user’s recent passwords can help to prevent those passwords from being reused any time soon, there are ways for users to circumvent such a policy. 

Suppose for instance, that a user figures out that an organization’s password policy is configured to remember the six most recent passwords. The user could simply change their password six times in rapid succession and then go back to using their original password. While most users probably won’t go to such lengths to circumvent the password policy, there will inevitably be some who will.

One way that you can prevent this type of behavior is to enable the Minimum Password Age setting, which you can see in the figure above. By default, Windows allows a recently changed password to be changed again immediately, thereby allowing a determined user to cycle through numerous password changes very quickly until they get back to the point at which they are allowed to reuse their original password.

Enabling the Minimum Password Age setting keeps users from being able to change their password again right away. Suppose for example, that you were to configure Windows to remember 24 passwords and you were to set the minimum password age to one day.

That would mean that even the most determined user would not be able to cycle back to their original password for 24 days. It’s probably going to be a lot easier for the user to just accept their new password.

Another way that users sometimes circumvent password history requirements is by using sequential passwords. A user might stick with the same root password, but append a number or the name of a month to the end of the password.

Each time that a password change is required, the user just increments the number or changes the month portion of their password.

Unfortunately, Windows cannot natively stop this type of password abuse. However, Specops Password Policy can be used to prevent the use of sequential passwords and other similar tricks. Specops Password Policy also allows admins to create a list of words that cannot be used within a user’s password. This gives you a way of stopping users from appending the name of a month to their password. You can test it out for free in your Active Directory, anytime.

Sponsored by Specops

Adblock test (Why?)