Security News > 2022 > July > Enforcing Password History in Your AD to Curb Password Reuse
Microsoft recommends configuring the password history to remember the last 24 passwords.
Unless an organization enforces a password history requirement, a user could skirt the rules by changing their password and then immediately changing back to their original password.
Password history requirements discourage this type of behavior by making it more difficult for a user to reuse their old password.
Windows makes it easy to add a password history requirement to an existing password policy.
The user could simply change their password six times in rapid succession and then go back to using their original password.
By default, Windows allows a recently changed password to be changed again immediately, thereby allowing a determined user to cycle through numerous password changes very quickly until they get back to the point at which they are allowed to reuse their original password.