Prohibit password reuse for a specified number of generations.
DiscussionPassword lifetime restrictions do not apply to temporary passwords.
Further DiscussionIndividuals may not reuse their passwords for a defined period of time and a set number of passwords generated.
ExampleYou explain in your company’s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period. You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].
Potential Assessment Considerations
- How many generations of password changes need to take place before a password can be reused [a]?