Ping a Specific Port

Question

Kevin

Asked: 2013-03-29 02:14:46 +0800 CST2013-03-29 02:14:46 +0800 CST 2013-03-29 02:14:46 +0800 CST

What is the rationale for a minimum password age?

772

I just had a user unable to change his password on a Windows 2008 domain. It was giving him a cryptic message about complexity requirements even though he was certain his chosen password was meeting them. I tested it myself and confirmed.

It seems his last password had been set too recently per a Microsoft-recommended default of something like 10 days if I recall.

He asked of me a very good question, which I couldn't answer: why would there be a minimum password age? How could this reasonably benefit security? He also pointed out that one might discover their password to be compromised within this 10 day period and not be able to change it!

Would there be any valid reason to enforce a minimum password age?

3 Answers

Voted

Dan · Answer 1 · 2013-03-29T02:25:16+08:00

Firstly, a technical answer:

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.

http://technet.microsoft.com/en-us/library/cc779758(v=ws.10).aspx (Server 2003) http://technet.microsoft.com/en-us/library/hh994570(v=ws.10).aspx (Server 2008 / Windows Vista Onwards)

So, that's a good reason for it not to be 0. Additionally, according to those articles:

Default

1 on domain controllers.

0 on stand-alone servers.

So, in other words, the default is the minimum you need to be able to enforce a password history.

Now, personally, I don't think there is a valid security reason to enforce minimum password ages but there could be some practical / human reasons. For example, you may restrict the number of password changes to cut down on the number of "Forgot my password" calls. I could see this being practical for high school students, perhaps.

Finally, it's worth bearing in mind that these limits do not apply to manual password resets from with Active Directory Users & Computers. So a user could always ask the Sysadmin for help if they really need to change their password.

David · Answer 2 · 2013-10-01T21:57:48+08:00

David

2013-10-01T21:57:48+08:002013-10-01T21:57:48+08:00

The rationale behind minimum password age is to prevent users from reverting to their old password immediately after an enforced password change. This policy is best used together with "password history" policy (prevent users from re-using their last X number of previous passwords).

5

LZH · Answer 3 · 2014-07-14T17:45:28+08:00

LZH

2014-07-14T17:45:28+08:002014-07-14T17:45:28+08:00

Minimum password age can also serve as a safety measure. What if the hacker changed the password immediately after they broke into the computer?

-2

What is the rationale for a minimum password age?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?