I recently had to reset my password for a popular instant messaging service. Unfortunately, I failed to write down the new password I picked. So I had to reset the password again. That is when I got the following message:
Please wait one day before requesting another password reset.
A bit irritating, but perhaps motivated? What are the security benefits of this limitation? What sort of attack does it protect against?
Only the owner of this service can tell what is their motivation.
One of motivations may be following. Some systems track the most recent passwords and don't allow the most recent passwords be reused very soon. For instance if user wants to reset password and reuse one of the 10 recent passwords, system would not allow this.
Some users would reset password 10 times within short time, let say within 5 minutes, their "favorite" password will not be in the list of the most recent 10 passwords, thus the system will allow to use that password again.
Thus, if the system policy forces users to regularly change their passwords, e.g. every 90 days, effectively some users can ignore this policy by multiple password resetting and eventually setting password back to their preferred value.
If users are allowed to reset password once a day only (or other relatively small number of times per day), they will not be able to reuse their preferred password very soon and will have to wait relatively long, e.g. 10 days, until the system "forgets" their preferred password and they can reuse it again. This can discourage many users from using this trick.
