Prevent users from re-using recently used passwords on the Password Reset screenDescriptionThe functionality exists to enforce the requirement that a user changing his or her password to be prohibited from using recently used passwords when resetting the password through the self-service password reset form. This will prevent a user from using some number of the last used passwords for this account, which thus can enhance security by disallowing the usage of passwords repeatedly. This can be configured by the ServiceNow admin from the Credential Store record and this article will describe the process by which this can be done.ResolutionTo begin the instance should be logged into with an account which has either the admin role or the password_reset_admin role. Once logged into the instance, browse to the following location using the Menu Navigator: Password Reset -> Credential Strores. Locate the Credential Store which corresponds to the password reset system used on this instance. For most systems this will probably be the out-of-box Credential Store with the name Local ServiceNow Instance. Click the Credential Store record to open it for editing. Once the record opens, click the Enforce history policy checkbox to set that option to selected. Doing this should also cause a message to appear at the top of the record indicating "To enforce password history policy, you must create an integer value parameter called 'password_history_limit'." Scroll down in the Credential Store record to the related lists and locate the related list with the name Password Reset Credential Store Parameters. Double click to insert a new row run this list on the text Insert a new row. Under the name column type password_history_limit and click the green checkbox in the list editor pop-up that appears. After the parameter has been added, double click the Value field associated with this row and type in the number of previous passwords that are retained by the system and which the customer is prohibited from using (for example 10) and click the green checkbox in the list-editor pop-up that had appeared to edit this value. The system will not recognize values for this parameter that are greater than 10. A value of 0 in this field indicates that no password history limit is enforced. Click the Save or Update button as associated to the Password Reset Credential Store record to save the changes to the record including it's association to the new parameter. As mentioned previously, setting this to a value of 0 will not restrict the usage of any previous passwords on the instance (which is the same behavior if the enforce password history option was not configured. After saving the changes to the Credential store record, browse to the following location on the instance using the Menu Navigator: Password Reset -> Processes. A list of Password Reset Process records will appear. Filter the list such that it shows Active records in this list which have the Credential store field set to the name of the Credential Store which was modified in the steps above (i.e. Local ServiceNow Instance). Click one of the records that remains in the list that fulfills the selected criteria (there may only be one such active record) to open that record for editing. On the record that opens, select the Password Reset Details tab. Ensure the Auto generate password checkbox is deselected (false). If not, set this value to false and Save this record. Note that if the Email Password Reset URL checkbox is selected, the Auto generate password checkbox will not be shown and by default set to false. Repeat these last steps, ensuring that the Auto generate password checkbox is unchecked for each active Password Reset Process record which is associated to the specific credential store. Return to the Credential Store record configured in previous steps: Password Reset -> Credential Stores. Click the Test Connection button associated with that Credential Store record. After a few moments, the Test should complete. Ensure the test completes with a successful result. Click the Return to Credential Store link to return to the Credential Store record. After this change has been configured on the instance, and a user attempts to change his password to one that is one of the recent passwords used (as per the setting for the password_history_limit value, they will receive an error indicating this password has already been used, and will need to set it to a different password in order for the password reset attempt to be valid. Additional InformationThere are several things that should be kept in mind in working with the password reset infrastructure in the system: If a user's password is reset by an admin level user (by changing the password field on the user form), the normal password reset functionality is not invoked and any password can be set (including a duplicate of a recently used password). If an instance is integrated with a local LDAP server or is using an SSO or SAML solution, any password reset functionality and login functionality is handled in a different manner and thus the steps in this document will not restrict the re-use of recent passwords on the system. While this article specifically addresses the re-use of recent passwords, other password complexity requirements can also be configured for a password reset. Knowledge Base article KB0726960 - Customize the Password requirement Strength for the Reset Password form describes how this can be done.