On Jan 17, 2008, at 3:54 PM, John Hascall wrote:

> This is, indeed, a restriction. If you need more, you need to change
> the code and recompile, etc.


No code here. I'll have to use that as en excuse to get an exception.

>
> In any event, unless you also set a minimum password lifetime, you
> can't guarantee a no reuse in a year anyway (I could change my
> password
> 12 times in 12 minutes).


I have that covered.

>
>
> I realize that these sorts of password rules are often externally
> dictated,
> but it's not clear to me (or many others) that they actually have a
> positive
> effect on security).
>



Let me know when you convince non-technical security auditors.


>
>
> John
>