Password history

6.5 Explain password best practices.

📘CompTIA ITF+ (FC0-U61)

---

Explained

Password history is a security feature used in systems to prevent users from reusing old passwords. It is part of password best practices and helps keep accounts more secure.

Why Password History Matters

When a user changes a password, there’s a risk they might reuse an old one. Reusing old passwords can make accounts easier to hack, because attackers might already know previous passwords from a data breach or other source.

By storing a history of old passwords, a system can remember the last few passwords a user has used and stop them from being reused.

---

How Password History Works in IT Systems

1. System stores previous passwords:
   • When you change your password, the system keeps a record of the old ones (usually in a hashed form for security).
2. Enforces a password reuse limit:
   • Many systems let you set how many previous passwords cannot be reused.
   • For example:
     • If the password history is set to 5, the last 5 passwords cannot be reused.
     • This means when you try to set a new password, the system will check it against your last 5 passwords and deny the change if it matches any.
3. Improves security for organizations:
   • In corporate IT environments, this is a common policy.
   • For example, Active Directory in Windows networks allows administrators to configure password history and minimum password age.

---

Key Concepts Related to Password History

1. Password age:
   • Systems often combine password history with a minimum password age.
   • This prevents a user from changing their password multiple times in a row to “cycle back” to the old password.
   • Example: If minimum password age is 1 day and password history is 5, you must wait 1 day before changing your password again, and you cannot use any of the last 5 passwords.
2. Password policies:
   • Password history is usually part of a broader password policy that also includes:
     • Minimum length
     • Complexity requirements (uppercase, lowercase, numbers, symbols)
     • Maximum age (how long a password can be used before it must be changed)
3. Hashing and security:
   • Old passwords are not stored as plain text; they are stored as hashed values.
   • This ensures that even if someone accesses the password history database, they cannot see the actual passwords.

---

IT Environment Example

In a corporate network using Windows Active Directory:

• IT admins can set a password policy like this:
  • Password history: 10 (prevents reuse of the last 10 passwords)
  • Maximum password age: 90 days (user must change password every 90 days)
  • Minimum password age: 1 day (prevents immediate cycling back to an old password)
• This ensures that employees cannot reuse old passwords, which protects accounts from being compromised.

---

Why Students Should Remember This for the Exam

1. Definition: Password history = system remembers old passwords to prevent reuse.
2. Purpose: Stops users from reusing passwords, increases security.
3. Key settings:
   • Number of passwords remembered
   • Minimum and maximum password age
4. Environment example: Active Directory or any system enforcing password policies in IT.

---

✅ Exam Tip:
On the CompTIA ITF+ exam, a question about password history might ask:

• “Why is password history used?” → To prevent users from reusing old passwords.
• “If a system has password history set to 5, can a user reuse a password they used 6 changes ago?” → Yes, because only the last 5 are blocked.