What is the rationale for a minimum password age?

Solution 1:

Firstly, a technical answer:

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.

http://technet.microsoft.com/en-us/library/cc779758(v=ws.10).aspx (Server 2003) http://technet.microsoft.com/en-us/library/hh994570(v=ws.10).aspx (Server 2008 / Windows Vista Onwards)

So, that's a good reason for it not to be 0. Additionally, according to those articles:

Default

1 on domain controllers.

0 on stand-alone servers.

So, in other words, the default is the minimum you need to be able to enforce a password history.

Now, personally, I don't think there is a valid security reason to enforce minimum password ages but there could be some practical / human reasons. For example, you may restrict the number of password changes to cut down on the number of "Forgot my password" calls. I could see this being practical for high school students, perhaps.

Finally, it's worth bearing in mind that these limits do not apply to manual password resets from with Active Directory Users & Computers. So a user could always ask the Sysadmin for help if they really need to change their password.

Solution 2:

The rationale behind minimum password age is to prevent users from reverting to their old password immediately after an enforced password change. This policy is best used together with "password history" policy (prevent users from re-using their last X number of previous passwords).