This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 78%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello,
In a K-12 environment, there is an issue with students reusing passwords when they need to reset them. The technician currently brings up the Active Directory (AD) console and allows students to type their own new passwords.
How can password reuse be detected during this process in the AD console? Is there software available that can compare password hashes to determine if the new password is the same as any of the previously used passwords?
Thank you for any assistance.
Thank you for your help.
Hi brichardi,
This is an Active Directory question, not Entra ID, or is there more to the question?
(You added tags for both Entra and Active Directory)
Regardless, here's an article on enforcing password history to resolve this issue:
https://www.bleepingcomputer.com/news/security/enforcing-password-history-in-your-windows-ad-to-curb-password-reuse/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWL%3C/text%3E%3C/svg%3E)
Hello
Detecting password reuse in Active Directory (AD) can be a bit challenging, but there are ways to address this issue. Active Directory itself has built-in mechanisms to prevent password reuse through the use of password policies. These policies can enforce password history, which prevents users from reusing their previous passwords for a specified number of password changes.
To set up password history in Active Directory, you can configure the "Enforce password history" policy. This policy specifies the number of unique new passwords that must be associated with a user account before an old password can be reused. For example, if you set this policy to 5, the user cannot reuse any of their last 5 passwords.
Here are the steps to configure this policy:
Open the Group Policy Management Console (GPMC).
Navigate to the appropriate Group Policy Object (GPO) that you want to edit.
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
Double-click on Enforce password history and set the desired number of passwords to remember.
Regarding software that can compare password hashes, there are third-party tools available that can help with this. These tools typically work by storing password hashes and comparing them when a password change is attempted. Some examples include:
Specops Password Policy: This tool extends the capabilities of Active Directory password policies and can enforce custom password rules, including preventing password reuse.
Password Policy Enforcer: This tool can enforce complex password policies and prevent users from reusing passwords by comparing password hashes.
These tools integrate with Active Directory and provide additional functionality to enhance password security.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Hi @brichardi
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
Hi @brichardi
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
