24.3 (L1) Ensure 'Device Password History' is set to '24 or more password(s)'

Information

This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. In an Intune managed environment this setting applies to local user accounts and not Entra ID accounts.

The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.

The recommended state for this setting is: 24 or more password(s)

The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.

If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to 24 or more password(s) :

Device Lock\Device Password Enabled: Device Password History

Impact:

The major impact of this configuration is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization but make them easier to guess.

Warning: If an organization is using Windows Hello for Business the the Device Lock password settings can impact PIN polices if those policies are not first defined elsewhere. Windows will follow the Windows Hello for Business policies for PINs if this key exists: HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies Otherwise, it will follow Device Lock policies.

This benchmark recommends configuring Device Lock policies for Local User accounts and Windows Hello for Business policies for PINs.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|16.2

Plugin: Windows

Control ID: f48ee8db8296325d89c544bcfc6ad9b7965b2ae386b409a825812f60951fad0f