PCI Requirement 8.2.5 – New Passwords/Passphrases Can’t Be the Same as Any of the Last Four Passwords/Passphrases Used
Effectiveness of Changing Passwords
PCI Requirement 8.2.5 works in conjunction with PCI Requirement 8.2.4 to create secure passwords. Because PCI Requirement 8.2.4 requires passwords/passphrases to be changed every 90 days, PCI Requirement 8.2.5 dictates that new passwords/passphrases can’t be the same as any of the last four passwords/passphrases used. This prevents users from trying to alternate between the same few passwords or not reset their password at all by using the same password over and over again. The PCI DSS further explains, “If password history isn’t maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future.”
During an assessment, your organization’s system configuration settings will be examined to verify that parameters are in place so new passwords/passphrases can’t be the same as any of the last four passwords/passphrases used.
When we have a requirement that says that we need to change our passwords every 90 days, we find that people will try to use the last password that they had or not reset their password at all by submitting the same password that they’re already using. I can admit that even I’ve done that in the past. From an application security perspective, PCI Requirement 8.2.5 requires that you retain the last four passwords that an individual has used. When the passwords are changed every 90 days, you can’t use the last four passwords for a year. From an assessment perspective, we’re looking at the applications that you’ve developed, commercial off-the-shelf applications, authentication store, and how the password settings prevent somebody from using previous passwords.