An organizations’ security policy requires that users change passwords every 30 days. After a
security audit, it was determined that users were recycling previously used passwords. Which of
the following password enforcement policies would have mitigated this issue?

A.
Password history

B.
Password complexity

C.
Password length

D.
Password expiration

Explanation:
Password history determines the number of previous passwords that cannot be used when a user
changes his password. For example, a password history value of 5 would disallow a user from
changing his password to any of his previous 5 passwords. However, without a minimum

password age setting, the user could change his password six times and cycle back to his original
password.