Weak Password Policy - Password History

Enforcing password history is a common safeguard to prevent the reuse of previously compromised passwords. However, a low password history count allows users to reuse relatively recent passwords, increasing the risk of unauthorized access to accounts and sensitive data.

Tenable Identity Exposure analyzes password policies as follows:

• It evaluates the setting's value only if the setting is enabled.
• For the Default Policy, it reports the setting as misconfigured if it is either disabled or has an insecure value. This is because the Default Policy acts as a fallback and should define all relevant settings with secure values as a last-resort safeguard.

Tenable Identity Exposure analyzes disabled password policies only when the corresponding IOE parameter is also disabled.

You must set the password history to a higher value in the reported password policy.

Okta recommends a typical value of 24, which is also the default setting in this Indicator of Exposure. Tenable advises selecting a value that aligns with your organization's risk tolerance, as well as the relevant industry standards and regulatory requirements for your sector and location. Be mindful of the impact on end-user experience, as users will have to create new passwords.

Next, configure the optimal value in the IOE parameter.

Refer to Okta’s official documentation for guidance on how to configure correctly the reported password policy.

Name: Weak Password Policy - Password History

Codename: WEAK-PASSWORD-POLICY-PASSWORD-HISTORY-OKTA

Severity: Medium

Type: Okta Indicator of Exposure