1.4 Ensure Check for Password Reuse is selected and History Length is set to 12 or more - history-checking

Information

Check for reuse of passwords. When a user's password is changed, the new password is checked against the recent passwords for the user. An identical password is not allowed. The number of passwords kept in the record is set by History length. Does not apply to SNMP passwords. Enables or disables password history checking and password history recording, for all users.

Rationale:

The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. While current guidance emphasizes password length above frequent password changes, not enforcing password re-use guidance adds the temptation of using a small pool of passwords, which can make an attacker's job easier across an entire infrastructure.

Solution

Run the following command to set tie history-checking setting.
CLI:

Hostname>set password-controls history-checking on

Hostname>set password-controls history-length 12

GUI:

Navigate to User Management > Password Policy > Password History:
checked the 'Check for Password Reuse' setting.

Navigate to User Management > Password Policy > Password History:
Set 'History Length' is set to 12 or more.

Default Value:

Selected

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e)

Plugin: CheckPoint

Control ID: c6c552ab74ca6f3ffa0108dc32f4260159a878d57597fddf8c9de06d2d95c7bd