Windows checks this setting at the time a user attempts to change their password. Windows allows you to configure this setting between 0 and 24; 0 being disabled of course. Anything above 0 means Window will store the hash of the account’s X past passwords and reject any attempts to re-use a password.
Why would you ever set this policy to less than its maximum of 24? You’d be amazed how many IT security audits in which I’ve found myself arguing with an executive who disagreed on this point asking me to change my recommendation to something more “reasonable” like 5 or 6. What are we trying to do here? Teach users to have a handful of favorite passwords use in rotation? Or actually require them to pick a new password each time maximum password age is reached? I think it’s more reasonable to lengthen the maximum password age, requiring less frequent changes and reinforce good password practices with training and feed back as described above. Bottom line
Set it to 24 or don't bother.
User Comments
by
yinzer
added Thursday, October 07, 2010
Don't bother. What this results in is people picking easier passwords to remember or some random password (then writing it down).
Add Your Comments