5.3.3 Ensure password reuse is limited

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to
ensure that users are not recycling recent passwords.

Rationale:

Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be
able to guess the password.

Note that these change only apply to accounts configured on the local system.

Solution

Set remembered password history to conform to site policy. Many distributions provide
tools for updating PAM configuration, consult your documentation for details. If no tooling
is provided edit the appropriate /etc/pam.d/ configuration file and add or modify the
pam_pwhistory.so or pam_unix.so lines to include the remember option:

password required pam_pwhistory.so remember=5
password sufficient pam_unix.so remember=5

Notes:

Consult your documentation for the appropriate PAM file and module.

Additional module options may be set, recommendation only covers those listed here.

See Also

https://workbench.cisecurity.org/files/2420