What’s your password history? This is a question many end users are not able to answer causing increased frustration. Of course password history is extremely important as it prevents the user from reusing a password which could have potentially been compromised in the past.
One of the biggest challenges with implementing password history policies is being able to maintain usability while increasing compliance and security. By limiting the user to only using passwords that are new to them each time, the user becomes frustrated every time they are required to reset their password. Unfortunately with limits being enforced, the frustrated user is more likely to write down passwords. If you are thinking of implementing a password history policy it is better to tailor it to your environment and only make it a requirement when it makes sense in relation to the required level of data protection.
Some key things to remember surrounding password history is that it has an inverse relationship to your password expiration policies. So if you are expiring passwords frequently then you would need a higher password history limit. For example, if you expire passwords as frequently as every 30 days you would want a high password history limit, say around 50. This would not allow the reusing of any passwords for 1500 days. It is important to remember what is necessary for the type of data you are trying to protect.
The other concern is how to help your users create passwords and not get frustrated with having to remember brand new ones. Many times a user will create a password and continually use variations of the same password (ex. password, password1, password2, password3, etc.). Something to take into consideration may be the limiting of similar passwords as it may be crucial to your security.
To help users with all of these issues the option you could give them is to use a pass phrase. Instead of a single “X” length of characters you could allow them to login with an entire sentence. This might be easier for some users to remember and therefore reset their pass phrase when needed.
Overall the goal is to decrease user frustrations while still implementing effective password history policies. Make sure to consider what level of data protection is required and what is necessary in terms of the limits you are setting for your end users.