How to enforce password history in Active Directory
(Last updated on July 15, 2021)
The “Enforce password history” setting in Active Directory is used to determine the number of unique passwords a user must use before they can use an old password again. This is an important setting because password reuse is a common issue – the more often the same (or similar) password is used, the greater chance that the password will be compromised in some way, such as in a brute force attack, or even via shoulder surfing. Note that once an account has been compromised, it is advised that it should not be used again, as it may have had a script associated with it that can change the password to a known one at a certain time. So, it is recommended that a new account be created for a user if a compromise occurs.
The default setting for “Enforce Password History” is also it’s max value, which is 24. It’s usually configured in the Default Domain Policy GPO, but may be configured in another single policy that applies to the entire domain. You can have different settings in a single domain if you make use of FGPP, but there isn’t usually a reason why most organizations would not pick 24 as the default value for all users.
The “Enforce password history” setting has its limitations. First, it doesn’t stop the user from using incremental passwords e.g. Password1 and changing it to Password2, Password3, etc. Second, when an administrator or helpdesk staff perform a password reset against the users account, the password history is ignored.
The “Enforce Password History” setting is commonly used alongside “Minimum Password Age” which stops the user from rapidly changing their password to get back to the same password again. You can also specify the “Maximum Password Age” to force users to change their passwords at regular intervals (60, 90, 120 days) – this particular setting is now in question thanks to the latest password guidance from NIST. In cases where users rarely (if ever) change their passwords, the password history rule could potentially have less value. Further, setting passwords to never expire might not suit your organization if some other compliance regulations state otherwise. Here’s how to check your Active Directory for passwords set to never expire.
Admin accounts should still change their passwords every 30-45 days. In my opinion, the approach should only be adopted if other rules are applied i.e. you have a method of blocking weak/leaked passwords, and incremental passwords, while enforcing the use of longer passphrases, and a way of detecting unusual logins (for example, logons from outside of the network or unusual devices).
Setting password history to 24 is still the recommended way to go, it just makes sense. As discussed, there are weaknesses with using this rule on its own with the Native AD password policy. Using a third-party tool such as Specops Password Policy can resolve these issues for you. It allows you to block incremental passwords, and leaked passwords, while encourages the use of longer passphrases by extending the maximum password age when a user exceeds the minimum password length.