Re: minimum number of days between password change
On 11/03/2010 10:41 AM, Robert Brockway wrote:
Personally I don't think much of keeping a record of old password
hashes but for a different reason: they are easily circumvented by
the user changing their password several times until they can reuse
the old one again.
Then, instead of retaining N number of hashes, you keep N number of
days/months of hashes.
Some organisations have tried to prevent this by
limiting how quickly passwords can be changed - the problem with
this approach should be obvious :)
Seek truth from facts.