none
How to prevent users from reusing previous passwords within a year RRS feed

  • Question

  • So I need to setup a GPO password policy for users in my organization that specifies the following:
    - Passwords must have at least 8 Characters 
    - Users must change their passwords after 90 days
    - Users can't use previous passwords for at least a year

    Now I have done the first two requirements but I'm a little bit confused on how I enforce the "Users can't use previous passwords for at least a year" requirement

    Help would be appreciated, photo has been added below to context

    https://i.gyazo.com/6c8a3ffb997828273f7a2a7269e74890.png

     
    Friday, January 18, 2019 3:10 PM

Answers

  • You could just keep a settings that keep in mind the last 12 password set, so technically, if a user change is password at each 90 days, that leave 4 year without the same password.

    This set of settings;

    • Set Enforce password history to 24. This will help mitigate vulnerabilities that are caused by password reuse.

    • Set Maximum password age to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss.

    • Configure Minimum password age so that you do not allow passwords to be changed immediately.


    Regards, Philippe

    Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )

    Answer an interesting question ? Create a wiki article about it!


    Friday, January 18, 2019 3:40 PM
    Moderator
  • Other than Yagmoth55's suggestion, there is provision to enforce any time limit before a password can be reused. And note, even if password history is 12 and max password age is 90 days, if min password age is 1 day, the user technically can reuse the same password after 12 or so days. With password history of 12, you would need to set min password age to 31 days the stop a determined user from reusing a password in less than a year.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Lirois Friday, January 18, 2019 4:02 PM
    Friday, January 18, 2019 3:49 PM

All replies

  • You could just keep a settings that keep in mind the last 12 password set, so technically, if a user change is password at each 90 days, that leave 4 year without the same password.

    This set of settings;

    • Set Enforce password history to 24. This will help mitigate vulnerabilities that are caused by password reuse.

    • Set Maximum password age to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss.

    • Configure Minimum password age so that you do not allow passwords to be changed immediately.


    Regards, Philippe

    Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )

    Answer an interesting question ? Create a wiki article about it!


    Friday, January 18, 2019 3:40 PM
    Moderator
  • Other than Yagmoth55's suggestion, there is provision to enforce any time limit before a password can be reused. And note, even if password history is 12 and max password age is 90 days, if min password age is 1 day, the user technically can reuse the same password after 12 or so days. With password history of 12, you would need to set min password age to 31 days the stop a determined user from reusing a password in less than a year.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Lirois Friday, January 18, 2019 4:02 PM
    Friday, January 18, 2019 3:49 PM
  • Other than Yagmoth55's suggestion, there is provision to enforce any time limit before a password can be reused. And note, even if password history is 12 and max password age is 90 days, if min password age is 1 day, the user technically can reuse the same password after 12 or so days. With password history of 12, you would need to set min password age to 31 days the stop a determined user from reusing a password in less than a year.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

     Yup that does seem to do the work, thank you for your help guys both your suggestions were very helpful.
    I have one more question though, if I set password  history to 5 and min age 73 would that still work just fine? Trying to see if I got it right



    • Edited by Lirois Friday, January 18, 2019 4:07 PM
    Friday, January 18, 2019 4:05 PM
  • Yes, that is true, but I would expect users to complain. Not because they are trying to reuse a password, but at least some users will want to change their password before it expires. Some just to avoid having any password too long, others to prevent having it expire. Security is often a tradeoff with convenience. And if min password age is 73, then max age must be greater. A max age of 80 or more days is itself possibly too long for some organizations, considering that the default is 42 days.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, January 18, 2019 4:13 PM
  • I see, well thank you for all the help again! .
    Friday, January 18, 2019 4:38 PM