Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IA.L2-3.5.8 – Prohibit password reuse for a specified number of generations.
Understanding the Requirement
This control (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires organizations to stop users from reusing recently used passwords by specifying how many prior passwords are remembered and blocked from reuse. The goal is to make passwords effective by ensuring the same secret cannot be recycled quickly: you must specify the number of generations during which a password cannot be reused, and technically enforce that reuse is prohibited for that number of generations.
Technical Implementation
-
Define the policy values in your information security policy first. Choose a reasonable password history (commonly 12 generations) and a minimum password age (e.g., 1–2 days) so users cannot immediately cycle back to an old password. Document the decision and the rationale in your policy template so auditors and administrators can verify it.
-
For Active Directory domain environments: use Group Policy. Configure Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy → “Enforce password history” and set it to your chosen number (for example, 12). Also set “Minimum password age” to prevent immediate rotation and “Maximum password age” to force periodic changes if required by policy.
-
For cloud identities (Microsoft Entra ID/Azure AD) or hybrid environments: review your tenant’s password policy options and any available controls from Microsoft Endpoint Manager / Intune. If your cloud provider does not directly expose a password history setting, use conditional access, identity protection features, or integrate with on-prem AD via Azure AD Connect so the on-prem policy can govern reused passwords for synced accounts. For cloud-only setups, consider enforced use of modern authentication and passwordless methods to reduce reliance on reusable passwords.
-
Use local account controls for non-domain devices: for local Windows accounts, configure local security policies or scripts to enforce password history settings where possible; for Linux systems, configure /etc/pam.d/common-password with the pam_unix or pam_pwhistory modules to enforce password history and prevent reuse (e.g., remember=12).
-
Operationalize controls: ensure helpdesk and onboarding processes acknowledge the policy, deploy a password manager company-wide to reduce risky reuse behavior, and enforce multi-factor authentication (MFA) to mitigate the remaining risk of password compromise.
-
Audit and validate: schedule periodic checks. For AD, run PowerShell (Get-ADDefaultDomainPasswordPolicy) or review GPOs to confirm settings. For Linux, test PAM configuration on representative hosts. Keep logs of changes and produce a simple compliance report for leadership showing the password history and related settings are in place.
Example in a Small or Medium Business
Acme Manufacturing maintains an on-prem Active Directory domain for 120 employees and uses Microsoft Endpoint Manager for some laptops. The security lead drafts an update to the information security policy specifying “Enforce password history: 12 generations” and “Minimum password age: 1 day.” The systems administrator creates a Group Policy Object named “Password Standards” and sets Enforce password history = 12, Minimum password age = 1 day, and other password requirements. The GPO is linked to the domain and tested on a pilot OU of ten users to verify behavior. When John in accounting tries to recycle a password he used six months ago, the domain rejects it and displays an error instructing him to pick a new password. The helpdesk staff are trained to explain the policy and assist with approved password manager setup for employees. IT runs a weekly script that checks the domain password policy setting and archives the results for the security lead to include in monthly compliance reporting.
Summary
Prohibiting password reuse for a specified number of generations is a straightforward control that combines a written policy with technical enforcement. For SMBs this means: decide an appropriate history length (commonly 12), set and enforce it via Group Policy, PAM, or your identity provider, prevent immediate cycling with a minimum password age, and support users with password managers and MFA. Regular audits and simple reporting complete the loop so you can demonstrate the control is active and effective.
