5.3.3 Ensure password reuse is limited

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords.

Rationale:

Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password.

Note that these change only apply to accounts configured on the local system.

Solution

Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown:

password required pam_pwhistory.so remember=5

Additional Information:

Additional module options may be set, recommendation only covers those listed here.

See Also

https://workbench.cisecurity.org/files/3399

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv6|16, CSCv7|16

Plugin: Unix

Control ID: 79ef45a3713e6b2ce78eec63a41cd385c34dd5b0799af99af633d2e37a45f4d6