10.1.2 Set Password Change Minimum Number of Days

Information

The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days.
By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls.

Solution

Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7
Modify active user parameters to match: # chage --mindays 7 <user>

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d)

Plugin: Unix

Control ID: 590bc8ac4fba2c939c8e8384bf50ba9c8dc285045cd0d19acecffb7356d011c8