3.5.8 — No Password Recycling

The One-Liner

If a user can change their password 5 times and get back to their favorite, your password history is too short.

What It Says

Prohibit password reuse for a specified number of generations.

What It Actually Means

Enforce a password history of at least 24 passwords. This prevents users from cycling through a small set and returning to their favorite.

Why 24? With no forced rotation, users rarely change passwords — so 24 passwords of history effectively means they can never reuse one. With monthly rotation (if required), 24 means they can’t reuse a password for two years.

Combine this with a minimum password age (typically 1 day) to prevent users from rapidly cycling through 24 changes in one sitting to get back to their preferred password.

The assessor will check the actual configuration — both the history depth and the minimum age.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is a password reuse restriction defined?	Policy states 24-password history (or your defined number)
2	Is password reuse technically prevented?	AD/Entra configured to remember 24 passwords and reject reuse

---

What to Have Ready on Assessment Day

Documents they’ll review: Identification and authentication policy; procedures addressing authenticator management; system security plan; system configuration settings showing password history

People they’ll talk to: Personnel with information security responsibilities; system or network administrators

Live demos they’ll ask for: Mechanisms enforcing password history requirements

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “How many previous passwords does your system remember?”
• “Show me the GPO or Entra configuration for password history.”
• “Is there a minimum password age to prevent rapid cycling?”
• “What happens when a user tries to reuse a recent password?”

Real-World Example

A contractor’s AD GPO shows: ‘Enforce password history: 24 passwords remembered’ and ‘Minimum password age: 1 day.’ The assessor asks for a demo — a test user tries to change their password to one used previously and gets ‘This password doesn’t meet the history requirements.’ The 1-day minimum age means even if someone wanted to cycle through 24 changes, it would take 24 days.

---

Where Companies Trip Up

History too short. Remembering only 5 passwords means a user cycles through 5 and gets back to their favorite. Set to 24.

No minimum password age. A user rapidly changes their password 24 times in 5 minutes to exhaust the history and reuse their preferred password. Minimum 1-day age prevents this.

Configuration doesn’t match policy. Policy says 24 but GPO is set to 12. Check the actual configuration.

---

How to Talk About This

To a CEO or Board

Our systems remember the last 24 passwords. Users can’t cycle back to old favorites.

To an Engineering Team

AD GPO: 24-password history, 1-day minimum age. Entra ID: mirrors AD settings via password writeback. Verified in Group Policy Management Console.

---

Connected Requirements

Requirement	Why it matters here
3.5.7 — Password Rules	Complexity rules ensure new passwords are strong; history ensures they’re different
3.5.9 — Change Temp Passwords	Temp passwords get changed on first use, then history tracking begins

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: IA.L2-3.5.8 | SPRS Weight: 1 point | POA&M Eligible: Yes