Henry is an employee at Acme Company. The company requires him to change his password every three months. He has trouble remembering new passwords, so he keeps switching between just two passwords. Which policy would be most effective in preventing this?

If the system maintains a password history, that would prevent any user from reusing an old password. Password complexity and length are common security settings but would not prevent the behavior described. Multifactor authentication helps prevent brute-force attacks and reduces the potential impact of stolen passwords but would not help with this scenario.