5.3.12 Ensure password prohibited reuse is at a minumum '5'


The operating system must be configured so that passwords are prohibited from reuse for a minimum of 5 generations.


Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.


To configure the operating system to prohibit password reuse for a minimum of 5 generations.
Add the following line in /etc/pam.d/system-auth and /etc/pam.d/password-auth (or modify the line to have the required value):
Example: vim /etc/pam.d/system-auth
Add, uncomment or update the following line:

password requisite pam_pwhistory.so use_authtok remember=5 retry=3

Note: Manual changes to the listed files may be overwritten by the authconfig program. The authconfig program should not be used to update the configurations listed in this requirement.


This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019

Vul ID: V-71933

Rule ID: SV-86557r3_rule

STIG ID: RHEL-07-010270

Severity: CAT II

See Also


Item Details


References: 800-53|IA-5(1)(e)

Plugin: Unix

Control ID: 1694a5675484f2774505fc7c3963a10eac2864a52b5aeacadf33e27dfce9734c