3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20'

Information

The PASSWORD_REUSE_MAX setting determines how many different passwords must be used before the user is allowed to reuse a prior password. The suggested value for this is 20 passwords or greater.

Rationale:

Allowing reuse of a password within a short period of time after the password's initial use can make the success of both social-engineering and brute-force password-based attacks more likely.

Solution

Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.

ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;

Notes:

The above restriction should be applied along with the PASSWORD_REUSE_TIME setting.

See Also

https://workbench.cisecurity.org/files/2741

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv6|16, CSCv7|4.4

Plugin: OracleDB

Control ID: 9bbf2b173848107e7eba6b4f3a40634c96f9a8e787703874bb45cf2e02e350d8