Skip to content

What is Password History?

Last updated on July 6, 2020

Image by Gerd Altmann from Pixabay

Note: This is merely a guide. Password history policies will vary between companies and websites. This guide is starting point to encourage further interest.

Below is an example of password history policy you might see in the corporate world:

  1. Enforcing a password history of 24:
    1. Prevents users reusing any of the last 24 passwords they’ve used.

Some best practices that would improve the policy above:

  1. Minimum Password Age
    1. An essential tool to prevent users from changing passwords XX times in a given period (usually a day or two).
  2. Password Complexity
  3. Proper training with examples.
    • Bad password behaviors:
      • Storing written passwords (under the keyboard for instance…).
      • Use of common words or number sequences as passwords.  These will be easily guessed (123456, password, etc).
      • Using easily attainable knowledge for a password (graduation date, birthday, anniversary, pets name, etc).
    • Password comparisons BAD vs GOOD:
      • Password01 vs P@$$word01!!
      • 3sep1980 vs N0tUsingAnnivers0ryD@te!
  4. Why is this training and policy enforcement necessary?
    • The average user is not an expert with technology. Their specialization is usually elsewhere (this is why we have IT personnel)
    • The criminals trying to gain access to information systems ARE experts with technology and their toolbox is growing in size and capability.

Recommendation:

  1. As mentioned in previous article(s):
    1. Use a password tool like LastPass to generate complex, random passwords and store them securely.
    1. Avoid re-using passwords on multiple information systems or websites.
    1. Use services such as Gibson Research Corporation’s Haystack utility to determine the strength of a password/passphrase.

The goal of password history policy is to ensure the integrity of passwords/passphrases by not allowing reuse. Password complexity, randomness, and avoiding password reuse provides protection against the automated mathematical cracking by botnets and directed hacking.  Given the ever increasing power of computing and the proliferation of botnets, strong passwords and password history policy are a priority to protect information systems.

Published inKnowledge Based Article

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *