Details
-
Suggestion
-
Resolution: Won't Fix
Description
For most of our systems, we don't allow users to change passwords more than 2 times per day.
The premise is if a user has a favorite password (for example "lamepassword") and rules prevent the user from repeating the last 5 passwords, then the user could just change the password repeatedly ("lamepassword1", "lamepassword2", "lamepassword3", etc.) until they could use their favorite password again.
By limiting the number of times per day that a user could change their password, we can discourage (not elliminate) the recycling of passwords.