Re: minimum password reset time
> Which is why you should set a minimum time between changes - just don't be monumentally stupid about it.
Ugh, even that brings its own problems. Being told you can't change a password that's been compromised because the minimum time hasn't elapsed. On one of our systems, a privileged generic* account password is retrieved several times a day by different people, but can only be changed once a day. So a bunch of people can re-use the password all day, with no accountability for who did what.
A long password history usually means you don't need a minimum time. Until you meet That Guy who ruins it for everyone:
>>...casually sabotage his own monthly New Password prompts by changing his password 11 times immediately.
* Yes, they should have individual logins. But the ancient application doesn't support that, OR auditing,