NIST SP 800-171 Control 3.5.8: Password Reuse Prohibition
Control 3.5.8 requires organizations to prevent users from reusing passwords across a specified number of generations. This foundational access control reduces the risk of unauthorized account compromise and strengthens credential security across your systems.
What this means
Password reuse prohibition restricts users from cycling back to previously used passwords when forced to change credentials. Organizations must enforce a minimum number of unique password generations (typically 5-24) before reuse is allowed. This prevents attackers from gaining access if historical credentials are compromised, and it discourages predictable password rotation patterns.
How to comply
- 1.Define and document a password history requirement (minimum recommended: 5 previous passwords retained).
- 2.Configure identity and access management systems to enforce password history policies across all user accounts.
- 3.Test password change workflows to verify rejected reuse attempts and proper error messaging.
- 4.Apply the policy consistently to standard users, administrators, and service accounts.
- 5.Monitor password change events and audit logs for policy violations or bypass attempts.
- 6.Include password history requirements in security awareness training for end users.
- 7.Review and adjust password generation limits annually based on threat landscape and industry standards.
Evidence auditors look for
- System screenshots showing password history configuration (e.g., 'Enforce password history: 5 passwords remembered').
- Identity provider policy documentation specifying the number of password generations prohibited from reuse.
- Audit logs showing rejected password change attempts when users try to reuse previous passwords.
- Test results demonstrating system rejection of reused passwords within the prohibited generation window.
- User account provisioning templates with password history enforcement enabled.
- Security policy documentation defining password reuse prohibition requirements.
- Help desk tickets or user communication confirming awareness of password reuse restrictions.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch monitors password history policies across your identity systems in real-time and flags non-compliance, eliminating manual audits of password reuse controls.
See how GRCWatch handles this control automatically
Start free trial