5.3.3 Ensure password reuse is limited

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords.

Notes:

-

Additional module options may be set, recommendation only covers those listed here.

-

This setting only applies to local accounts.

-

This option is configured with the remember=

n

module option in /etc/pam.d/common-password

Forcing users not to reuse their past passwords make it less likely that an attacker will be able to guess the password.

Solution

Run the following command:

# pam-config -a --pwhistory --pwhistory-remember=5

OR

Edit the file /etc/pam.d/common-password to include the remember= option and conform to site policy as shown:

password required pam_pwhistory.so remember=5

See Also

https://workbench.cisecurity.org/files/3682

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: Unix

Control ID: 0a125c192acf01214f28975815ee2606dfc5aeb5956ae678894c4c6cacfa1791