1.3.3 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords

Information

This determines the number of unique passwords that have to be most recently used for a user account before a previous password can be reused.
Rationale:
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.

Solution

Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Prevent Password Reuse Limit to greater than or equal to 24
or
Execute the following CLI command:
username@set mgt-config password-complexity password-history-count <>
+ block-repeated-characters Block repeated characters count
+ block-username-inclusion Block inclusion of username and it's reverse
+ enabled Enable minimal password complexity enforcement
+ minimum-length Minimum password length
+ minimum-lowercase-letters Minimum lowercase letters in the password
+ minimum-numeric-letters Minimum numeric(0-9) letters in the password
+ minimum-special-characters Minimum special characters(non-alphanumeric) in the password
+ minimum-uppercase-letters Minimum uppercase letters in the password
+ new-password-differs-by-characters New Password must differ by the count chars
+ password-change-on-first-login Password must change on first time login
+ password-change-period-block Password change block period
+ password-history-count Save password history for password changes
> password-change password-change
<Enter> Finish input
# commit

Default Value:
Not enabled.

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e), CSCv6|5

Plugin: Palo_Alto

Control ID: bd30cb28b79dd415ed7fef359f0c0b99b7cec7de57f869e932e34ac36450e8d6