Detections
Analytics

5.4.1.2 Ensure minimum password age is configured

Information

The minimum password age determines the number of days that you must use a password before you can change it.

PASS_MIN_DAYS <

N

> - The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, 0 will be assumed (which disables the restriction).

Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual user account, with foreknowledge of data about that user, reuse of old, potentially compromised passwords, may cause a security breach.

By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls

Solution

Edit /etc/login.defs and set PASS_MIN_DAYS to a value greater than 0 that follows local site policy:

Example:

PASS_MIN_DAYS 1

Run the following command to modify user parameters for all users with a password set to a minimum age greater than zero that follows local site policy:

# chage --mindays <N> <user>

Example:

# awk -F: '($2~/^$.+$/) {if($4 < 1)system ("chage --mindays 1 " $1)}' /etc/shadow

Impact:

By enforcing a minimum password age, a user will be unable to change their password if they observe a potential compromise of their password, e.g. "shoulder surfing", during the time defined by minimum password age. In this event the user should follow local site policy to report a compromised password.

If a users password is set by other personnel as a procedure in dealing with a lost or expired password, the user should be forced to update this "set" password with their own password. e.g. force "change at next logon".

If it is not possible to have a user set their own password immediately, and this recommendation or local site procedure may cause a user to continue using a third party generated password, PASS_MIN_DAYS for the effected user should be temporally changed to 0 to allow a user to change their password immediately.

For applications where the user is not using the password at console, the ability to "change at next logon" may be limited. This may cause a user to continue to use a password created by other personnel.

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: d54d952531a48f6d08d26f79281f52ba4c9a88144f566df284b738f04577807c