Password History Policy Question

John Hascall john at iastate.edu
Thu Jan 17 15:54:47 EST 2008


> I am trying to set a policy for users. One of our requirements is  
> that passwords not be reused for at least 1 year (we change passwords  
> every 30 days). The problem seems to be that the -history parameter  
> cannot be greater then 9. Is this something I am doing wrong or is  
> this indeed a restriction on the number of kept old passwords? Thanks

This is, indeed, a restriction.  If you need more, you need to change
the code and recompile, etc.

In any event, unless you also set a minimum password lifetime, you
can't guarantee a no reuse in a year anyway (I could change my password
12 times in 12 minutes).

<soapbox>
I realize that these sorts of password rules are often externally dictated,
but it's not clear to me (or many others) that they actually have a positive
effect on security).
</soapbox>


John



More information about the Kerberos mailing list