Password Age and Reuse

Consider the following guidelines when determining age and reuse policies:

The password reuse policy can ensure that a given password is not re-used frequently. This policy creates a password history. A setting of 0 means that password history is not enforced. A setting greater than 0 specifies the number of passwords that are saved and used for comparison when the password is changed. A strong password policy should prevent users from reusing a password for at least a year.
The recommended maximum age for a password varies with password length and complexity. One general rule is that an acceptable password is one that cannot be broken by a brute-force attack in less than the maximum allowed age of the password. A good standard for maximum age is 30 to 60 days.
Setting a minimum age prevents users from resetting passwords many times during a single session to work around a reuse restriction policy. A common best practice recommendation is 3 days.
If you set a password age, it is recommended that you warn users to reset their passwords. You can set the warning to occur at the midpoint of the age or closer to expiration.
You should lock user accounts after a reasonable number of failed logins. This can help prevent successful password guessing by hackers. Three to five attempts is a standard number after which an account is locked.