Configure PingDirectory server to maintain a history of former passwords to prevent them from reusing the password multiple times.
Use the following password policy configuration properties to enable a password history:
- The maximum number of former passwords to maintain in the history.
- The maximum length of time that former passwords should be stored in the history.
If either of these properties is configured with a nonzero value, then the server maintains a password history for users associated with that password policy.
If a password history is to be maintained, then you might want to also impose a limit on how frequently users are allowed to change their password. Without such a limit, some crafty users might attempt to change their passwords several times in quick succession to purge the password they want to keep from the history so they can re-use it. Configure this limit with the following configuration property:
- The minimum length of time that must pass between self password changes. If a
user attempts to change their password multiple times within this duration, then
the latter attempts are rejected. Note:
Administrators are able to reset user passwords at any time, regardless of how long it has been since a user has changed their password. It also does not prevent a user from choosing a new password following an administrative reset.
See the config/sample-dsconfig-batch-files/enable-password-history.dsconfig batch file for more information about enabling password history.