On Friday, March 8, 2002, at 06:33 PM, Bradley, Tony wrote: > To combat this you also need to set a minimum password age in > your policy. > If you set the minimum password age to 1 month they will not be able to > reset their password for at least 1 month each time and then > you guarantee > that it will be 18 months until they can re-use the old password again. Of course, if a user happens to find out or suspect his password is compromised, then he can't change it, either. Cycling through 18 passwords take a fair amount of effort. Even more if you set the minimum to something like ten minutes. But at least ten minutes probably doesn't get in the way of users who need to change their password because they lost the slip of paper they wrote it down on. Also, remember, the more often you make people change their passwords, the more likely they are to start writing them down. And the more valuable the stored password history is likely to become.
