Password History Policy Question
John Hascall
john at iastate.edu
Thu Jan 17 15:54:47 EST 2008
> I am trying to set a policy for users. One of our requirements is
> that passwords not be reused for at least 1 year (we change passwords
> every 30 days). The problem seems to be that the -history parameter
> cannot be greater then 9. Is this something I am doing wrong or is
> this indeed a restriction on the number of kept old passwords? Thanks
This is, indeed, a restriction. If you need more, you need to change
the code and recompile, etc.
In any event, unless you also set a minimum password lifetime, you
can't guarantee a no reuse in a year anyway (I could change my password
12 times in 12 minutes).
<soapbox>
I realize that these sorts of password rules are often externally dictated,
but it's not clear to me (or many others) that they actually have a positive
effect on security).
</soapbox>
John
More information about the Kerberos
mailing list