Title

The operating system must not allow passwords to be simlilar to previous ones. (Cat II impact)

Discussion

If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. Satisfies: SRG-OS-000072-GPOS-00040

Check Content

Verify the operating system does not allow passwords to be similiar to previous ones. FreeBSD password quality checks are performed by pam_passwdqc. Verify it is installed and in-use: $ cat /etc/pam.d/passwd password requisite pam_passwdqc.so enforce=everyone min=disabled,disabled,disabled,disabled,15 similar=deny password required pam_unix.so no_warn try_first_pass nullok Ensure pam_passwdqc.so is not commented out and contains the settings "enforce=everyone" and "similar=deny". If it does not, this is a finding.

Fix Text

Configure the operating system to not allow passwords to be similar to previous ones.

Additional Identifiers

Rule ID:

Vulnerability ID: V-400

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.