What is the rationale for a minimum password age?

active-directory security password
17,963

Solution 1

Firstly, a technical answer:

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.

http://technet.microsoft.com/en-us/library/cc779758(v=ws.10).aspx (Server 2003) http://technet.microsoft.com/en-us/library/hh994570(v=ws.10).aspx (Server 2008 / Windows Vista Onwards)

So, that's a good reason for it not to be 0. Additionally, according to those articles:

Default

1 on domain controllers.

0 on stand-alone servers.

So, in other words, the default is the minimum you need to be able to enforce a password history.

Now, personally, I don't think there is a valid security reason to enforce minimum password ages but there could be some practical / human reasons. For example, you may restrict the number of password changes to cut down on the number of "Forgot my password" calls. I could see this being practical for high school students, perhaps.

Finally, it's worth bearing in mind that these limits do not apply to manual password resets from with Active Directory Users & Computers. So a user could always ask the Sysadmin for help if they really need to change their password.

Solution 2

The rationale behind minimum password age is to prevent users from reverting to their old password immediately after an enforced password change. This policy is best used together with "password history" policy (prevent users from re-using their last X number of previous passwords).

Share:
17,963

Related videos on Youtube

WookieeKushin
Author by

WookieeKushin

Updated on September 18, 2022

Comments

  • WookieeKushin
    WookieeKushin almost 2 years

    I just had a user unable to change his password on a Windows 2008 domain. It was giving him a cryptic message about complexity requirements even though he was certain his chosen password was meeting them. I tested it myself and confirmed.

    It seems his last password had been set too recently per a Microsoft-recommended default of something like 10 days if I recall.

    He asked of me a very good question, which I couldn't answer: why would there be a minimum password age? How could this reasonably benefit security? He also pointed out that one might discover their password to be compromised within this 10 day period and not be able to change it!

    Would there be any valid reason to enforce a minimum password age?

  • Corey
    Corey over 8 years
    The minimum password age has little to nothing to do with this. If the user is able to change their own password at some stage then they are not protected from a malicious agent changing their password. Unless the users are being forced to change their passwords every n days, and cannot change before that time... which is so draconian that I doubt any IT manager could justify it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Reset password history in active directory to a specific date
Users on windows 2008 R2 server cannot change own password
How do you manage service account credentials (passwords)?
How to revoke change password permission only for users in specific OU?
IIS7 give ApplicationPoolIdentity access to a network location
Active Directory users unable to change passwords [SSSD]
How to prevent Synaptic Package Manager from asking for password?
Lecture from the local System Administrator
Is there a way to lock my browser with a password?
How to remove/change saved SVN passwords?