Re: Windows 2000 password policy bypass possibility

[Anthony DeRobertis <asd () suespammers org>]

On Friday, March 8, 2002, at 06:33 PM, Bradley, Tony wrote:

> To combat this you also need to set a minimum password age in 
> your policy.
> If you set the minimum password age to 1 month they will not be able to
> reset their password for at least 1 month each time and then 
> you guarantee
> that it will be 18 months until they can re-use the old password again.

Of course, if a user happens to find out or suspect his password 
is compromised, then he can't change it, either.

Cycling through 18 passwords take a fair amount of effort. Even 
more if you set the minimum to something like ten minutes. But 
at least ten minutes probably doesn't get in the way of users 
who need to change their password because they lost the slip of 
paper they wrote it down on.

Also, remember, the more often you make people change their 
passwords, the more likely they are to start writing them down. 
And the more valuable the stored password history is likely to 
become.