d0163b5f-23ab-4377-bc49-709e891a6b2b
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. In addition, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented - or if users continually reuse a small number of passwords - the effectiveness of a good password policy is greatly reduced.
Best practices and compliance require a password history set to 24, meaning that the last 24 passwords are remembered.
Fix: Configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Account Policies
|_ Password Policy
|_ "Enforce password history" to "24" passwords remembered.
STIG
Server
2022: https://stigviewer.com/stigs/microsoft_windows_server_2022/2025-01-14/finding/V-254288
2019: https://stigviewer.com/stigs/microsoft_windows_server_2019/2025-01-15/finding/V-205660
Desktop
W11: https://stigviewer.com/stigs/microsoft_windows_11/2024-09-12/finding/V-253300
W10: https://stigviewer.com/stigs/microsoft_windows_10/2024-11-25/finding/V-220742
NIST 800-53: AC-2(3)
NIST 800-171: 3.5.10 3.5.11 3.5.12 3.5.13
CMMC v2: AC.2.0.11/12/13/14
CSCv7: 16.10
Manage your cookie preferences below:
To learn more about our use of cookies, please see our
Privacy Policy.