Password Reuse

Our client has a detailed set of security requirements for all applications. When my team's application suite was developed long ago, they implemented a subset of these requirements. Recently this has come up as part of an audit. So our new directive is to get in compliance with the security requirements.

One area the requirements cover is that of password reuse. I thought this would be easy to implement since all our users already have a database profile which we manage. This should have been a matter of setting some limits in the profile. Unfortunately nothing is ever as easy as it seems.

Some web sites recommended setting password reuse limits like this.

ALTER PROFILE common LIMIT password_reuse_max 5,
password_reuse_time UNLIMITED;

The idea is that users could reuse their passwords after they chang their password 5 times. But this would not work. After much investigation and pain, I finally got the 411 on password reuse.