5.2.8 Password History

Information

Over time passwords can be captured by third parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous passwords hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15.

The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.

Rationale:

Old passwords should not be reused

Impact:

Required password changes will lead to some locked computers requiring admin assistance

Solution

Run the following command to require that the passwords must to be different from at least the last 15 passwords:

$ sudo pwpolicy -a <administratoraccount> -setaccountpolicies 'usingHistory=<value>=15>'

example:

$ sudo pwpolicy -a firstuser -setglobalpolicy 'usingHistory=15'

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5f.

Plugin: Unix

Control ID: c51ef9f45af025afb83a82b7de040fe57355504a5068efcce4876a2dbe641d8f