Is there a specific purpose of Minimum Password Age setting?

538    Asked by amit_2689 in SQL Server , Asked on Dec 28, 2021

 What additional security can the setting "password minimum age" provide? One of the articles that I read had the basic description of the setting - The Minimum password age policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0.

Answered by Amit Sinha

There are at least two things going on and the Minimum Password Age setting is the sort of AD security function that only makes sense if you properly use the AD function to lockout after "n" failed attempts, and also require your system to remember "n x 2" previous passwords -- with "n x 2" being pulled completely out of the air to be sufficiently larger than "n" so that an attacker who has a rough idea of your victim's password is will lock themselves out before exploring your less-security-conscious co-workers' password space. Ultimately these policies only really become powerful when your users are alert, and you don't unlock their account automatically within "n" minutes of locking out in plain sight. If your users assume that being locked out is a red-alert dead give away and they require administrative intervention to restore access, you have a much more secure environment than if your user simply says "huh, I'm locked out" and gets in 10 minutes later, or "huh, I forgot my password" and has the IT guy who maybe changed their password yesterday to perform nefarious deeds reset their password for them.


This is funny because a new guy asked me about this last week:

  1) It is intended to prevent a user from cycling through "n" unique passwords so that they can cycle back to their "preferred password," like "Password1."

So if the system remembers your last 10 (n=10) passwords (through hashes, not clear text, any system that inspects your "edit distance" is compromising security by storing clear text or mincing up the password into multiple hashes) then the end user will need to waste at least "n x minimum password age" days changing their password until they arrive at their original, discouraging the practice. Despite the fact that people like to say "changing passwords decreases security," this is only correct if your users are essentially leaving their new passwords out. If your users are routinely flipping from "1password" to "Password2" and so forth, you are still more secure if an attacker has to guess their way through this series of passwords. All bets are off with a brute-force password file attack, but all bets are pretty much always off in that scenario with NT hashes.

  2) If you walk into your place of business and are an adult with a consciousness of security and an expectation to behave with security in the forefront of your brain, you should consider an inability to log into your workstation a security incident. This feature gives you slightly more information that you might otherwise have, if you're the type of person that cruises from "Password2" to "Password3" until you reach the end.

So if you're locked out of your account and have no idea why, red alert! Somebody is trying something, or you locked yourself out, or there's an automated process trying to use your credentials. Even if you're the one who enters the wrong password 20 times, did you really forget it, or did someone else change it on you?

Let's say that you finally get in without administrative intervention, and decide that even though you're 99% sure your password was "Password2" yesterday, suddenly it's "Password3." Because a naughty SA changed your password temporarily in order to perform some auditable events under your account, and then tried to change your password back, but they were off by one. This is highly unlikely, why wouldn't the SA just guess your password? Maybe they are trying to avoid triggering any login failure events and simply use their normal admin tools to change it, and then change it "back."
Instead of simply saying "huh, that's weird," you have the ability to TRY to change your password and to determine if someone other than you changed it the day before, in order to perform "nefarious deeds" under your account. You will be told that you can't change your password, because it was changed recently.
This is not an "official reason" either, #1 is -- but it is empowering for the end user to be able to know with some certainty whether someone else is compromising your password. In my experience, people tend to use the same passwords in secure and non-secure environments, and black hat or disgruntled administrators can figure out your favorite password "trends" more easily than you might expect.

Too often people think they "forget their password" and just assume that it was magically forgotten from one day to the next. More often than not, that is the case. But if you're in a truly secure environment, think twice!

And yes, I realize that this security-conscious end user shouldn't be cycling through passwords like this, because it's only a matter of time before someone is able to explore your lockout window and password-change-frequency window (30-90 days, etc) to figure you out, but users too often operate under the assumption that admins know their password and can do whatever they want. If you don't assume this, and instead know that they have to go out of their way to figure out what your password might be, just that information is a game-changer to have.

Your Answer

Interviews

Parent Categories