Skip to content

Limit Password Reuse

An XCCDF Rule

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM modules.

In the file /etc/pam.d/common-password, make sure the parameters remember and use_authtok are present, and that the value for the remember parameter is or greater. For example:

password requisite pam_pwhistory.so ...existing_options... remember= use_authtok
The DoD STIG requirement is 5 passwords.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

ID
xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()