5.4.3 Ensure password reuse is limited

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords.

Rationale:

Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password.

Solution

Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown:

password required pam_pwhistory.so remember=5

Additional Information:

Changes only apply to accounts configured on the local system.

See Also

https://workbench.cisecurity.org/files/3219