The password reuse policy determines when and whether previously used passwords may be reused by the same user. These fields allow an administrator to dictate the minimum number of passwords a user may use in a password cycle. If both values are set, APS uses the higher of the two. In other words, if the settings are a count of 12 and a delay of 365 days, the user may not reuse passwords used in the last year. After a year, if only six passwords have been used, another six would have to be used before the user can go back to the first password.
Values are checked both forwards and backwards, and are not case-sensitive. To turn password reuse checking off, set both values to zero or do not put the keywords into the file (comment them out).
APS will always keep the larger of the Count or one year, regardless of these settings. This is so that these settings can be turned on later without repercussions.
There is an internal restriction on the length of the password history. APS will keep a maximum of only 24K of information (dates and values, encrypted). Thus, programmatic password changers (that might be used for load/volume testing) might be able to re-use a password before these restrictions are satisfied. Only an automated password changer can change a password frequently enough. The password history has duplicate compression, so changing it and changing it back programmatically will not overly enlarge the history.
APS cannot limit users to changing their password once per day. However, the purpose of such a limitation is to prevent users from setting a new password, then setting it back immediately. To accomplish the same purpose, set Reuse Delay to 1. The user can then change their password as many times as they want, but will not be able to set it back for 1 day. See page 67 for a further discussion of this feature.
Range: 0-500
Default: 0
Recommended: 12
Complexity Level: Intermediate
This controls how many passwords must be used before they can be reused.
Reuse Count=12
Reuse Count={@Customers} 500
Not supported on Windows NT Domain User Directories.
Range: 0-3650
Default: 0
Recommended: 365
Complexity Level: Intermediate
Controls how much time must elapse before a password can be reused.
Note that there is no need for a setting limiting how often a user may change their password. If this setting is set to one, then the user may change their password as many times as they want, but won't be able to reuse a password for 24 hours.
Reuse Delay=1
Reuse Delay={@Employees} 365
Not supported on Windows NT Domain User Directories.
|
Copyright © 2014 CA.
All rights reserved.
|
|