Restrict password reuse to prevent cycling through recent passwords.
389-AC-008 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-008 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1) |
| DISA SRG | SRG-APP-000165 |
Rationale¶
Mandatory password rotation loses its security value when users can immediately cycle back to a previously compromised credential - an attacker who obtained an old password through a breach or phishing campaign regains access the moment the user reuses it. Password history enforcement blocks reuse of the last N passwords, ensuring that rotation results in genuinely new credentials rather than trivial recycling. Retaining 24 passwords covers approximately two years of 90-day rotation cycles, meaning a credential compromised up to two years ago cannot be reinstated without detection. DISA SRG-APP-000165 requires that the last 24 passwords be prohibited for covered systems. Note that administrator resets via dsidm bypass the history check and should be used with documented justification; only user-initiated password changes are subject to history enforcement.
Check¶
Verify that password history is enabled and retains at least 24 previous passwords.
dsconf <instance> pwpolicy get | grep -i -E "passwordhistory|passwordinhistory"
Expected: passwordHistory: on / passwordInHistory: 24
Remediation¶
Enable password history and set the remembered password count to 24.
dsconf <instance> pwpolicy set --pwdhistory=on --pwdhistorycount=24
References¶
Implementation Notes¶
Use --pwdhistorycount (not --pwdinhistory) when setting the remembered count - --pwdinhistory is not a valid dsconf flag and will produce an error. Both flags must be set: --pwdhistory=on activates the history mechanism and --pwdhistorycount=24 sets the depth. The dsconf pwpolicy get output displays the count as the LDAP attribute passwordInHistory (note the LDAP attribute name differs from the CLI flag name). Hashed copies of previous passwords are stored in the passwordHistory operational attribute on each user entry; these are not readable as plaintext. The history list is populated starting from the moment history is enabled - accounts that change their password for the first time after this control is applied will have fewer than 24 entries in their history until sufficient changes have occurred.