Overview
Parameters:
PASSWORDHISTORYLENGTHCategory: Login
Default value:
5Product: eTASK.Login
What does this parameter do?
This parameter determines how many of a user’s most recently used passwords are stored. When a user changes their password, the new password is compared to the stored old passwords. If the new password matches one of the stored passwords, the change is rejected. This prevents users from repeatedly using the same passwords.
What is this parameter used for?
Increasing password security by preventing password reuse
Meeting compliance requirements (e.g., ISO 27001, BSI Basic Protection, GDPR)
Protection against account compromise through enforced password variation
Implementing corporate security policies for password management
Preventing cyclical password use (e.g., alternating between two passwords)
Technical Details (for Administrators)
Format: Integer
Default value: 5
Valid range: 0 to approx. 100 (practically 0–20 recommended)
Examples of valid values:
- 0 = No password history – passwords can be reused as often as desired (not recommended)
- 3 = The last 3 passwords are saved and blocked
- 5 = The last 5 passwords are saved (default, complies with common security guidelines)
- 10 = The last 10 passwords are stored (enhanced security)
- 24 = The last 24 passwords are stored (maximum security when combined with monthly password changes = 2 years of history)
Storage: Passwords are stored in the database in hashed (encrypted) form, not in plain text.
Scope: This parameter applies exclusively to passwords stored locally in the FM Portal. When logging in via Active Directory or Azure AD, the password policy of the respective directory service applies.
Interaction with other parameters:
- PASSWORDEXPIRATIONPERIODMONTH: Determines how often passwords must be changed
- PASSWORDMINLENGTH / PASSWORDMAXLENGTH: Specify the length of
passwords - PASSWORDPOLICY: Defines additional requirements (special characters, numbers, etc.)
When should you change this value?
Increase the value (e.g., to 10 or higher) if:
Your organization has stricter compliance requirements (e.g., financial sector, healthcare)
You work with highly sensitive data
The PASSWORDEXPIRATIONPERIODMONTH parameter is set to a low value (e.g., monthly password change)
Security audits require a more extensive password history
You want to prevent password rotation attacks (rapidly cycling through passwords to return to the original one)
Reduce the value (e.g., to 3) if:
Users complain that they can no longer come up with new passwords
You have a support issue with forgotten passwords
Passwords need to be changed very rarely (e.g., PASSWORDEXPIRATIONPERIODMONTH = 0 or > 12 months)
There are no special security requirements
Set 0 (disable) if:
Passwords are never changed or only changed in exceptional cases
You use a different authentication system (e.g., Active Directory only)
User-friendliness is the top priority (not recommended for production systems)
Important Notes
Existing password histories are retained: If you reduce the value from 5 to 3, the old entries are not deleted immediately but are adjusted the next time the respective user changes their password.
Combine with PASSWORDEXPIRATIONPERIODMONTH: If passwords must be changed every 3 months (PASSWORDEXPIRATIONPERIODMONTH = 3) and the history includes 5 passwords, users can only reuse their old password after 15 months.
Inform users in advance: Increases in the password history length should be communicated to avoid frustration—especially if users can no longer use their tried-and-true password variations.
Technical implementation: Passwords are stored as hashed values (not in plain text). This means that even administrators cannot view the old passwords.
Database size: With a large number of users and a high value (e.g., 24), more storage space is required in the database. In practice, however, this is negligible.
Security
Does changing this parameter affect security?
Yes, this parameter is security-critical.
Higher values = increased security against the reuse of compromised passwords
Prevents cyclical password usage: Users cannot simply switch back and forth between two or three passwords
Protection against data breaches: If an old password becomes known due to an external data breach, it cannot be reused
Interaction with PASSWORDEXPIRATIONPERIODMONTH: Together, both parameters form an effective security measure
Applies ONLY to portal passwords: For Active Directory or Azure AD logins, the policy of the respective directory service is applied
A value of 0 is a security risk: Users can reuse the same password repeatedly, which is dangerous if the account is compromised
Risks associated with excessively high values: - Users tend to write down passwords or store them in insecure password managers - Increased support workload due to forgotten passwords - Potential attempts to circumvent the policy (e.g., quickly changing the password 5 times to revert to the original)
Conclusion: Changes to this parameter have a direct impact on system security. The recommended value is between 5 and 10 passwords, depending on your organization’s security requirements and the frequency of password changes.
Practical example
Initial situation:
Your organization uses the FM portal for 500 employees. The IT security department has noticed that some users only make minor changes to their passwords (e.g., "Password1" → "Password2" → "Password1") and wants to prevent this. The current configuration is: - PASSWORDHISTORYLENGTH = 5 - PASSWORDEXPIRATIONPERIODMONTH = 3 (password change every 3 months)
Scenario 1 - Standard Use:
- User "Max Mustermann" must change his password
on January 1 - He has been using: "Winter2024!"
- He tries to enter "Summer2023!" (one of his last 5 passwords)
- System: "This password has already been used. Please choose a new password."
- Max chooses: "Spring2025!" (successful)
Scenario 2 - Increase to 10: Following a security audit, PASSWORDHISTORYLENGTH is increased to 10.
After the configuration change:
- When changing his password next (April 1), Max cannot use any of his
last 10 passwords - With quarterly changes, this means: Passwords from the last 2
.5 years are blocked
- Max must come up with new, more creative passwords - The likelihood of a compromised old password being reused decreases significantly
Scenario 3 - Set to 0 (not recommended): If PASSWORDHISTORYLENGTH is set to 0:
- Max can immediately reuse his previous password after
every password change - He could permanently switch between "Winter2024!
" and "Summer2024!" - Security risk: If "Winter2024!" becomes known through a data breach, his account is permanently at risk
Result:
The combination of PASSWORDHISTORYLENGTH = 5 and PASSWORDEXPIRATIONPERIODMONTH = 3 means that users can only reuse an old password after 15 months (5 × 3 months). This offers a good compromise between security and user-friendliness.
Recommended setting
For standard installations without special security requirements:
- PASSWORDHISTORYLENGTH = 5 (default value)
- Combined with PASSWORDEXPIRATIONPERIODMONTH = 0 (no forced change) or 6 (every six months)
For organizations with heightened security requirements (finance, government agencies, healthcare):
- PASSWORDHISTORYLENGTH = 10 - Combined with PASSWORDEXPIRATIONPERIODMONTH = 3 (quarterly) or 6 (every six months)
- Together with PASSWORDMINLENGTH = 12 and PASSWORDPOLICY = "All"
For maximum security (highly sensitive environments):
- PASSWORDHISTORYLENGTH = 24 - Combined with PASSWORDEXPIRATIONPERIODMONTH = 1 (monthly)
- This corresponds to a 2-year password
history - Note: Significant training and support efforts required!
Important note: Disable the password history (value = 0) only in test environments or if you use Active Directory authentication exclusively and do not use local portal passwords.
IC2882