1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords

Information

This determines the number of unique passwords that have to be most recently used for a user account before a previous password can be reused.

Rationale:

The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. While current guidance emphasizes password length above frequent password changes, not enforcing password re-use guidance adds the temptation of using a small pool of passwords, which can make an attacker's job easier across an entire infrastructure.

Solution

Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Prevent Password Reuse Limit to greater than or equal to 24

Default Value:

Not enabled.

References:

'PAN-OS Administrator's Guide 9.0 (English) - Best Practices for Securing Administrative Access' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html

See Also

https://workbench.cisecurity.org/files/2692