OL6-00-000060 - The system must require at least eight characters be changed between the old and new passwords during a password change - password-auth

Information

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note: Passwords which are changed on compromised systems will still be compromised.

Solution

The pam_cracklib module's 'difok' parameter controls requirements for usage of different characters during a password change.

Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding 'difok=[NUM]' after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is '8'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_6_V2R7_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(b), CAT|III, CCI|CCI-000195, Rule-ID|SV-208835r793620_rule, STIG-ID|OL6-00-000060, STIG-Legacy|SV-65125, STIG-Legacy|V-50919, Vuln-ID|V-208835

Plugin: Unix

Control ID: 5155a23436801352aabb53a549a76b24f66ec446e159aa4a57fcf9862937ac57