9.2.3 Limit Password Reuse

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to
ensure that users are not recycling recent passwords.

*Rationale*

Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be
able to guess the password.
Note that these change only apply to accounts configured on the local system.

Solution

Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password-password sufficient pam_unix.so remember=5Note- The default password setting in this document is the last 5 passwords. Change this
number to conform to your site's password policy.

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e)

Plugin: Unix

Control ID: 2b3136080bb4abda2ecdc25f47bc5246823a1c885862c8c3ba29c1fcd1615b12