Profile Applicability:
• Level 1
Description:
Configuring the minimum number of changed characters in a new password compared to the old one prevents users from making trivial password changes, thus enhancing password strength and security.
Rationale:
Enforcing a minimum number of changed characters mitigates risks from users making minimal or predictable modifications to their passwords, strengthening overall account security.
Impact:
Pros:
Encourages users to create significantly different passwords upon change.
Reduces vulnerability to password reuse and guessing.
Cons:
May inconvenience users who find it difficult to create new passwords.
Default Value:
This setting is not always configured by default and must be explicitly enabled.
Pre-requisites:
Root or sudo privileges to configure PAM modules such as pam_pwquality.
Remediation:
Test Plan:
Using Linux command line:
1. Check PAM configuration files (e.g., /etc/security/pwquality.conf or PAM config) for difok parameter which specifies minimum changed characters:
grep difok /etc/security/pwquality.conf
2. Verify the difok value is set appropriately (e.g., 3 or more).
Implementation Plan:
Using Linux command line:
- Edit /etc/security/pwquality.conf to set difok, for example:
difok = 3
Save the file.
Ensure PAM is configured to use pam_pwquality referencing this file.
Backout Plan:
Using Linux command line:
Remove or adjust the difok parameter as needed.
Test password change functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pwquality.conf Manual