5.4.1.3 Ensure minimum days between password changes is configured

Information

The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days.

By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls.

Solution

Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs :

PASS_MIN_DAYS 1

Modify user parameters for all users with a password set to match:

# chage --mindays 1 <user>

See Also

https://workbench.cisecurity.org/benchmarks/8498