5.3.3 Ensure password reuse is limited

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords.

Note: Changes only apply to accounts configured on the local system.

Rationale:

Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password.

Solution

Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown:

password required pam_pwhistory.so remember=5

See Also

https://workbench.cisecurity.org/files/2920

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|16

Plugin: Unix

Control ID: c5390423d7e6819c5ac25f6757dbc579ac6792269f330004713a7b825839f74b