mediumaccess-controlverified ✓rollback-safe
Require changed characters from previous password
pam-pwquality-difok · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The difok parameter in /etc/security/pwquality.conf sets the minimum number of characters that must differ from the previous password.
Rationale
Requiring a minimum number of changed characters prevents users from making trivial changes to their existing password, such as incrementing a number at the end.
Check → Remediate
Checkconfig_value
- path:
- /etc/security/pwquality.conf
- key:
- difok
- expected:
- {{ pam_pwquality_difok }}
- comparator:
- >=
Remediateconfig_set
- path:
- /etc/security/pwquality.conf
- key:
- difok
- value:
- {{ pam_pwquality_difok }}
- separator:
- =
Framework references
CIS
rhel8 5.3.3.2.1rhel9 5.3.3.2.1rhel10 5.3.2.2.1
STIG
V-258112 / RHEL-09-611115V-230363V-270729 / UBTU-24-400290V-260566 / UBTU-22-611040V-281185 / RHEL-10-600260
NIST 800-53
IA-5(1)(b)IA-5
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#pam#password#authentication#pwquality