WinSecWiki > Security Settings > Account Policies > Password Policy > Minimum Age

Windows Minimum Password Age

This setting allows you to limit how frequently a user may change his password. Normally the reason for using this setting is to prevent users, upon password expiration, from repeatedly changing their password to force the system to forget their favorite password overwriting the system’s password history for the account as defined by the password history setting.

Setting this control to zero disables it. Otherwise this setting must range between one and 998 days. If maximum password age is greater than zero, this control must be less than maximum password age.

As with all of these password policies this control can be a two edged sword. In this case a user could be prevented from changing their password when they suspect or are certain that someone else knows their password. For instance a manager while out of town desperately needs to access some information on his desktop network and resorts to sharing his password with a subordinate. A day or two later having returned to the office, he attempts to change his password but this policy prevents him and he subsequently forgets about it. Of course one could argue that he should never have shared the password in the first place but humans will be humans.

Bottom line

I think, if your overall passwords strategy requires you to depend on enforcing password history then you should use this setting as well. In that case I recommend the value of two days.

Back to top


Additional Resources