5.4.11 Ensure password prohibited reuse is at a minimum 5


The operating system must be configured so that passwords are prohibited from reuse for a minimum of 5 generations.


Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.


To configure the operating system to prohibit password reuse for a minimum of 5 generations.
Add the following line in /etc/pam.d/system-auth and /etc/pam.d/password-auth (or modify the line to have the required value):
Example: vim /etc/pam.d/system-auth
Add, uncomment or update the following line:

password requisite pam_pwhistory.so use_authtok remember=5 retry=3

Note: Manual changes to the listed files may be overwritten by the authconfig program. The authconfig program should not be used to update the configurations listed in this requirement.

Additional Information:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Version 3, Release: 4 Benchmark Date: 23 Jul 2021

Vul ID: V-204422

Rule ID: SV-204422r603261_rule

STIG ID: RHEL-07-010270

Severity: CAT II

See Also


Item Details


References: 800-53|IA-5(1)(e), CCI|CCI-000200, CSCv7|4.4, Rule-ID|SV-204422r603261_rule, STIG-ID|RHEL-07-010270

Plugin: Unix

Control ID: c030ac80f247f04feff188993d69a321573d8787441d736612b4c5c3340c1d74