Information
The pwquality difok option sets the number of characters in a password that must not be present in the old password.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Solution
Edit or add the following line in /etc/security/pwquality.conf to a value of 2 or more and meets local site policy:
difok = 2
Create or modify a file ending inconf in the /etc/security/pwquality.conf.d/ directory or the file /etc/security/pwquality.conf and add or modify the following line to set difok to 2 or more. Ensure setting conforms to local site policy:
Example:
# sed -ri 's/^s*difoks*=/# &/' /etc/security/pwquality.conf
# printf '
%s' "difok = 2" >> /etc/security/pwquality.conf.d/50-pwdifok.conf
Run the following script to remove setting difok on the pam_pwquality.so module in the PAM files:
#!/usr/bin/env bash
{
for l_pam_file in system-auth password-auth; do
l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_pwquality.so.*)(s+difoks*=s*S+)(.*$)/14/' "$l_authselect_file"
done
authselect apply-changes
}