Back

Configure the "Enforce password history" to organizational standards.


CONTROL ID
07877
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards., CC ID: 07621

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Minimum password complexity (ie, alphanumeric) and history; (1.6. ¶ 1 (c), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • The organization should not allow users to use their previous two passwords. (T26.2(3), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Passwords represent the first line of defence, and if not implemented appropriately, they can be the weakest link in the organisation. Thus, the FI should enforce strong password controls over users’ access to applications and systems. Password controls should include a change of password upon fir… (§ 11.1.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should not let passphrases to be reused for 8 changes on systems classified below top secret. (Control: 0424 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must not let users use the same passphrase for 8 changes on top secret systems. (Control: 0426 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must audit passphrases for privileged accounts on a regular basis to ensure they are not being reused or not being used for multiple accounts, particularly between privileged accounts and nonprivileged accounts. (Control: 0445 Bullet 6, Australian Government Information Security Manual: Controls)
  • § 3.6.13 When changing passwords, the new password should not be the same as one of the last 8 passwords the user used. (§ 3.6.13, Australian Government ICT Security Manual (ACSI 33))
  • Password history is 12. (Section 5.7 IDM-11 Description of additional requirements (confidentiality) ¶ 1 Bullet 7, Cloud Computing Compliance Controls Catalogue (C5))
  • Password history of 6 (Section 5.7 IDM-11 Basic requirement ¶ 1 Bullet 4, Cloud Computing Compliance Controls Catalogue (C5))
  • When resetting passwords, can users use a password they entered in the past? (Table Row XI.11, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Configure the "Enforce Password History" setting to "4". (7A5F2453-5577-4C39-9AD3-CBAB061C1492, Exchange2007SP3 CAS Services Security, 1.0)
  • Configure the "Enforce Password History" setting to "4". (AB4473EC-025C-4063-AC1D-2C80CAA53883, Exchange2010SP2 CAS Services Security, 1.0)
  • Users should not reuse their passwords. This setting sets how many past passwords the computer will remember. The Enforce Password History should be set to 24 passwords. The default value is 0 passwords. (Pg 3, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
  • Configure the "Enforce password history" setting to "24". (39067228-A06C-4D85-8AB4-95AE64028136, Win7SP1 Domain Security Compliance, 1.0)
  • Configure the "Enforce password history" setting to "24". (9C20F6A4-84B3-4635-8A83-98BBE4DB41E5, Win8 Domain Security Compliance, 1.0)
  • Configure the "Enforce password history" setting to "24". (3A22EBF8-5FB5-433C-9274-0E9B62BA7799, WinVistaSP2 Domain Security Compliance, 1.0)
  • Configure the "Enforce password history" setting to "24". (61F53913-B242-4499-A638-925974EBD823, WinXPSP3 Domain Security Compliance, 1.0)
  • Configure the "Enforce password history" setting to "24". (19ACE531-42C3-4496-A698-B3399D833502, WS2003SP2 Domain Security Compliance, 1.0)
  • Configure the "Enforce password history" setting to "24". (6A1E3F15-D02A-4736-9B1D-DD6F0FCC37DD, WS2008R2SP1 Domain Security Compliance, 1.0)
  • Configure the "Enforce password history" setting to "24". (BAA6E389-F20B-4F76-86C1-3881F5D9D625, WS2008SP2 Domain Security Compliance, 1.0)
  • Configure the "Enforce password history" setting to "24". (10C7A078-4592-4086-81C2-5CCCE0423443, WS2012 Domain Security Compliance, 1.0)
  • (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 2… (1.1.1, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 1)
  • (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 2… (1.1.1, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 2)
  • Title: Set 'Enforce password history' to '24' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The defa… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.4_Set_Enforce_password_history_to_24 Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.4.1_, The Center for Internet Security Microsoft Windows 7 Level 1 + BitLocker Benchmark, 2.1.0)
  • Title: Set 'Enforce password history' to '24' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The defa… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.4_Set_Enforce_password_history_to_24 Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.4.2_, The Center for Internet Security Microsoft Windows 7 Level 1 + BitLocker Benchmark, 2.1.0)
  • Title: Set 'Enforce password history' to '24' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The defa… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.4_Set_Enforce_password_history_to_24 Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.4.1_, The Center for Internet Security Microsoft Windows 7 Level 1 Benchmark, 2.1.0)
  • Title: Set 'Enforce password history' to '24' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The defa… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.4_Set_Enforce_password_history_to_24 Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.4.2_, The Center for Internet Security Microsoft Windows 7 Level 1 Benchmark, 2.1.0)
  • Title: Set 'Enforce password history' to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Set_Enforce_password_history_to_24_or_more_passwords Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.5.1_, The Center for Internet Security Microsoft Windows 8 Level 1 + BitLocker Benchmark, 1.0.0)
  • Title: Set 'Enforce password history' to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Set_Enforce_password_history_to_24_or_more_passwords Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.5.1_, The Center for Internet Security Microsoft Windows 8 Level 1 Benchmark, 1.0.0)
  • Title: Set 'Enforce password history' to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Set_Enforce_password_history_to_24_or_more_passwords Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.5.1_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Domain Controller Benchmark, 1.0.0)
  • Title: Set 'Enforce password history' to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Set_Enforce_password_history_to_24_or_more_passwords Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.5.2_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Domain Controller Benchmark, 1.0.0)
  • Title: Set 'Enforce password history' to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Set_Enforce_password_history_to_24_or_more_passwords Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.5.1_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Member Server Benchmark, 1.0.0)
  • Title: Set 'Enforce password history' to '24 or more password(s)' Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Set_Enforce_password_history_to_24_or_more_passwords Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.5.2_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Member Server Benchmark, 1.0.0)
  • The system should remember the last 24 passwords that a user has used. This will prevent the user from cycling through the same passwords over and over again. (Pg 13, Pg 14, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • The Enforce Password History setting should be set to 24. The system will store the last 24 passwords that a user has used in order to prevent a user from cycling through the same passwords. (§ 2.2.2.5, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • The system should remember the last 24 passwords that a user has used. This will prevent the user from cycling through the same passwords over and over again. (§ 13, § 14, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • The number of previous passwords that the system remembers will be set at 24 passwords. This will prevent users from cycling through the same passwords over and over again. (§ 2.2.2.5, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • The Enforce Password History should be set to 24. This setting defines how many past passwords the system will remember to ensure unique passwords are being used. (Pg 15, The Center for Internet Security Windows NT Benchmark, 1.0.5)
  • The organization must enable password history. The Enforce Password History setting determines how many previous passwords are stored to ensure that users do NOT cycle through regular passwords. The NSA requirement of 24 passwords remembered should be viable for public use as well. When determining … (§ 2.2.2.5, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • The control system shall provide the capability to prevent any given human user account from reusing a password for a configurable number of generations. In addition, the control system shall provide the capability to enforce password minimum and maximum lifetime restrictions for human users. These … (5.9.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords. (§ 8.5.12, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Inspect the system configuration settings for a sample of system components to verify passwords are configured to require users to choose a new password that is not the same as the previous 4 passwords. (Testing Procedures § 8.2.5.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the internal processes and user or customer documentation from service providers to verify non-consumer user passwords cannot be the same as the previous 4 passwords. (Testing Procedures § 8.2.5.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure it has developed a password and user authentication management program that requires a user to use a password that he/she has not used within the last 4 password changes. For service providers, the customer documentation should be examined to verify customers cannot use … (§ 8.5.12, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords. (§ 8.5.12 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Users must not be allowed to submit a new password or passphrase that is the same as any of the last 4 passwords or passphrases that have been used. (PCI DSS Requirements § 8.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. (8.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used. (8.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used. (8.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Must an individual submit a new password/phrase that is different from any of the last four passwords/phrases he or she has used? (8.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Must an individual submit a new password/phrase that is different from any of the last four passwords/phrases he or she has used? (8.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Must an individual submit a new password/passphrase that is different from any of the last four passwords/passphrases he or she has used? (8.2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Must an individual submit a new password/phrase that is different from any of the last four passwords/phrases he or she has used? (8.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Must an individual submit a new password/passphrase that is different from any of the last four passwords/passphrases he or she has used? (8.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Must an individual submit a new password/phrase that is different from any of the last four passwords/phrases he or she has used? (8.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used? (8.2.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used? (8.2.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Must an individual submit a new password/passphrase that is different from any of the last four passwords/passphrases he or she has used? (8.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases. (8.2.5.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that new non-consumer customer user passwords/passphrases cannot be the same as the previous four passwords. (8.2.5.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. (8.3.7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. (8.3.7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0.1)
  • Examine system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases. (8.3.7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases. (8.3.7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0.1)
  • Must an individual submit a new password or phrase that is different from any of the last four passwords or phrases he or she has used? (PCI DSS Question 8.2.5(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Must an individual submit a new password or phrase that is different from any of the last four passwords or phrases he or she has used? (PCI DSS Question 8.2.5(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do authentication procedures and policies include instructions not to reuse previously used passwords? (PCI DSS Question 8.4(b) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Must an individual submit a new password or phrase that is different from any of the last four passwords or phrases he or she has used? (PCI DSS Question 8.2.5(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used? (PCI DSS Question 8.2.5(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Do authentication procedures and policies include instructions not to reuse previously used passwords? (PCI DSS Question 8.4(b) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. (8.3.7, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. (8.3.7, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. (8.3.7, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. (8.3.7, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. (8.3.7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • General application security controls must be reviewed when the application's logical access controls are performed, including ensuring the rotation of passwords meets the organization's policy requirements. (§ 4 (Access Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • Access control mechanisms based on passwords should be enforced by automated means that restrict the re-use of passwords (e.g., so that they cannot be used again in a set period or set number of changes). (CF.06.04.03f, The Standard of Good Practice for Information Security)
  • Where passwords are used to supplement token authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as restricting the re-use of passwords. (CF.06.05.06-3, The Standard of Good Practice for Information Security)
  • Where passwords are used to supplement biometric authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as restricting the re-use of passwords. (CF.06.06.06-3, The Standard of Good Practice for Information Security)
  • Conferencing facilities (including teleconferencing, videoconferencing, and online web-based conferencing) should be protected against unauthorized access by providing a unique password for each new conference (i.e., not repeating the same password for consecutive conferences). (CF.09.08.06b, The Standard of Good Practice for Information Security)
  • Access control mechanisms based on passwords should be enforced by automated means that restrict the re-use of passwords (e.g., so that they cannot be used again in a set period or set number of changes). (CF.06.04.03f, The Standard of Good Practice for Information Security, 2013)
  • Where passwords are used to supplement token authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as restricting the re-use of passwords. (CF.06.05.06-3, The Standard of Good Practice for Information Security, 2013)
  • Where passwords are used to supplement biometric authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as restricting the re-use of passwords. (CF.06.06.06-3, The Standard of Good Practice for Information Security, 2013)
  • Conferencing facilities (including teleconferencing, videoconferencing, and online web-based conferencing) should be protected against unauthorized access by providing a unique password for each new conference (i.e., not repeating the same password for consecutive conferences). (CF.09.08.06b, The Standard of Good Practice for Information Security, 2013)
  • Verify that there are no periodic credential rotation or password history requirements. (2.1.10, Application Security Verification Standard 4.0.3, 4.0.3)
  • The organization should configure the system so that the user cannot use the same password inside a predefined time period. (Critical Control 12.9, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Non-administrative accounts should be required to not allow users to use the same password as the previous 15 passwords. (Critical Control 16.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • § 11.3.1, § 11.5.3 When changing passwords, users should not be allowed to recycle through old passwords. (§ 11.3.1, § 11.5.3, ISO 27002 Code of practice for information security management, 2005)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • On UNIX computers or Linux computers that process scoped data, is the password history set to at least 12 before a password is allowed to be reused? (§ G.16.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that transmit scoped data, is the password history set to at least 12 before a password is allowed to be reused? (§ G.16.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, is the password history set to at least 12 before a password is allowed to be reused? (§ G.16.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, is the password history set to at least 12 before a password is allowed to be reused? (§ G.17.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, is the password history set to at least 12 before a password is allowed to be reused? (§ G.17.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, is the password history set to at least 12 before a password is allowed to be reused? (§ G.17.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, is the password history set to 12 before a password is allowed to be reused? (§ G.18.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, is the password history set to 12 before a password is allowed to be reused? (§ G.18.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, is the password history set to 12 before a password is allowed to be reused? (§ G.18.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, is there a password history of 12 before reuse? (§ G.19.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, is there a password history of 12 before reuse? (§ G.19.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, is there a password history of 12 before reuse? (§ G.19.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, is there a password history of 12 before reuse? (§ G.20.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, is there a password history of 12 before reuse? (§ G.20.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, is there a password history of 12 before reuse? (§ G.20.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, is the password history set to 12 before reuse? (§ V.1.72.14, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Passwords must be prohibited from being a password that was used for the last 6 generations. (CSR 2.9.9(8), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The system administrator should ensure users cannot use the same password within the last ten changes. (§ 3.2.1, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • The number of passwords the system remembers should be set to a minimum of five passwords. (§ 5.3.3.4, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The "Enforce password history" value should be set to a minimum of five passwords. (§ 3.5.3 (4.014), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • The "Enforce Password History" value should be set to at least five passwords. (§ 5.3.3.4, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Wireless network device management interfaces and consoles should be password protected and the password should be in accordance with current organizational policy. Examine the network diagram and wireless devices to ensure they all require the use of passwords and the passwords are in compliance wi… (§ 3.1 (WIR0330), § 4.2 (WIR0330), § 4.4 (WIR0330), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Prohibit password reuse for a specified number of generations. (IA.2.079, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Prohibit password reuse for a specified number of generations. (IA.2.079, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Prohibit password reuse for a specified number of generations. (IA.2.079, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Prohibit password reuse for a specified number of generations. (IA.2.079, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Prevent reuse of identifiers for a defined period. (IA.L2-3.5.5 Identifier Reuse, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Prohibit password reuse for a specified number of generations. (IA.L2-3.5.8 Password Reuse, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • When passwords are changed, at least 4 of the characters must be changed. (IAIA-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • When passwords are changed, at least 4 of the characters must be changed. (IAIA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system must prevent password reuse. (IAIA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system must prevent password reuse. (IAIA-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Passwords shall not be the same as the previous 10 passwords. (§ 5.6.2.1.1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Not be identical to the previous three (3) PINs. (§ 5.6.2.1.2 ¶ 1 6., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Preventing reuse of identifiers for [FedRAMP Assignment: at least two (2) years]; and (IA-4d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prohibits password reuse for [FedRAMP Assignment: twenty four (24)] generations; and (IA-5(1)(e) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prohibits password reuse for [FedRAMP Assignment: twenty four (24)] generations; and (IA-5(1)(e) Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prohibits password reuse for [FedRAMP Assignment: twenty four (24)] generations; and (IA-5(1)(e) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Preventing reuse of identifiers for [FedRAMP Assignment: at least two (2) years]; and (IA-4d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Preventing reuse of identifiers for [FedRAMP Assignment: at least two (2) years]; and (IA-4d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Preventing reuse of identifiers for [FedRAMP Assignment: at least two (2) years]. (IA-4d., FedRAMP Security Controls High Baseline, Version 5)
  • Preventing reuse of identifiers for [FedRAMP Assignment: at least two (2) years]. (IA-4d., FedRAMP Security Controls Low Baseline, Version 5)
  • Preventing reuse of identifiers for [FedRAMP Assignment: at least two (2) years]. (IA-4d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Preventing reuse of identifiers indefinitely (IA-4 ¶ 1 d., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • For all systems: 24 generations. (IA-5 (CE-1) h.6.i., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Exhibit 8 Control 06 A new password must not be the same as one of the last 6 passwords used. (Exhibit 8 Control 06, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the password policy include not reusing previous passwords? (IT - General Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Password history should be saved for an appropriate number of password changes Technical Mechanisms: via /etc/security/user Parameters: number of password changes References: 10.8.10.5.1 (2) d) (CCE-4858-7, Common Configuration Enumeration List, Combined XML: AIX 5.3, 5.20130214)
  • Password history should be saved for an appropriate number of password changes Technical Mechanisms: via /etc/security/user Parameters: number of password changes References: 10.8.10.5.1 (2) d) (CCE-5982-4, Common Configuration Enumeration List, Combined XML: HP-UX 11.23, 5.20130214)
  • The "Enforce Password History" setting should be configured correctly. Technical Mechanisms: (1) Powershell: Get-ExchangeConfiguration -configType EnforcePasswordHistory |Select-Object -Property SettingData Parameters: 0 - 50 passwords References: Microsoft Tool: Security Compliance Mana… (CCE-19205-4, Common Configuration Enumeration List, Combined XML: Microsoft Exchange 2007, 5.20130214)
  • The "Enforce Password History" setting should be configured correctly. Technical Mechanisms: (1) Powershell: Get-ExchangeConfiguration -configType EnforcePasswordHistory |Select-Object -Property SettingData Parameters: 0-50 passwords References: Microsoft Tool: Security Compliance Manage… (CCE-19013-2, Common Configuration Enumeration List, Combined XML: Microsoft Exchange Server 2010, 5.20130214)
  • The "Enforce password history" setting should be configured correctly. Technical Mechanisms: (1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies) Parameters: number of passwords remembered References: Micros… (CCE-10809-2, Common Configuration Enumeration List, Combined XML: Microsoft Windows Server 2008 R2, 5.20130214)
  • Password history should be saved for an appropriate number of password changes Technical Mechanisms: via PAM Parameters: number of password changes References: 10.8.10.5.1 (2) d) (CCE-6045-9, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 4, 5.20130214)
  • The strong password HISTORY value should meet minimum requirements Technical Mechanisms: Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts Parameters: numeral References: Section: 7.4,Value:10 CCE-U-10 (CCE-4563-3, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • Password history should be saved for an appropriate number of password changes Technical Mechanisms: via /etc/default/passwd Parameters: number of password changes References: 10.8.10.5.1 (2) d) (CCE-6529-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 8, 5.20130214)
  • Password history should be saved for an appropriate number of password changes Technical Mechanisms: via /etc/default/passwd Parameters: number of password changes References: 10.8.10.5.1 (2) d) (CCE-7086-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 9, 5.20130214)
  • The "enforce password history" policy should meet minimum requirements. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) number of passwords remembered References: CCE-60 Password History: 24 Passwords Remembered Password History (24) (CCE-3588-1, Common Configuration Enumeration List, Combined XML: Windows 2000, 5.20130214)
  • The "enforce password history" policy should meet minimum requirements. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) number of passwords remembered References: CCE-60 Table 2.3 Enforce password history: 24 passwords remembered (Legacy Client, Enterprise Cli… (CCE-3446-2, Common Configuration Enumeration List, Combined XML: Windows Server 2003, 5.20130214)
  • The "Enforce password history" setting should be configured correctly. Technical Mechanisms: (1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies) Parameters: (1) enabled/disabled References: GPO Settings: Co… (CCE-2237-6, Common Configuration Enumeration List, Combined XML: Windows Server 2008, 5.20130214)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • When a password is changed, the old password is stored on the system. Users will be prevented from using any of these passwords in the future when they change their passwords. This setting should be set to remember the last 24 passwords the user has used. (§ 6.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • Organizational records and documents should be examined to ensure passwords are not reused. Test the password settings to ensure passwords cannot be reused for a predefined number of times. (IA-5.1, IA-5.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1) ¶ 1(e) Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1) ¶ 1(e) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1) ¶ 1(e) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prevent the reuse of identifiers for [Assignment: organization-defined time period]. (03.05.05 c., NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
  • Prevent reuse of identifiers for a defined period. (3.5.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Prohibit password reuse for a specified number of generations. (3.5.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Prevent reuse of identifiers for a defined period. (3.5.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Prohibit password reuse for a specified number of generations. (3.5.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Prevent reuse of identifiers for a defined period. (3.5.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Prohibit password reuse for a specified number of generations. (3.5.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must manage system identifiers for devices and users by preventing the reuse of device or User Identifiers for a predefined time period. (App F § IA-4.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should prohibit a password from being reused for a predefined number of generations, for password-based authentication. (App F § IA-5(1)(e), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization manages information system identifiers by preventing reuse of identifiers for {organizationally documented time period}. (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication prohibits password reuse for {organizationally documented number} generations. (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization manages information system identifiers by preventing reuse of identifiers for {organizationally documented time period}. (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication prohibits password reuse for {organizationally documented number} generations. (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system identifiers by preventing reuse of identifiers for {organizationally documented time period}. (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication prohibits password reuse for {organizationally documented number} generations. (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system identifiers by preventing reuse of identifiers for {organizationally documented time period}. (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication prohibits password reuse for {organizationally documented number} generations. (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Prohibits password reuse for [Assignment: organization-defined number] generations; and (IA-5(1)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]. (IA-4d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Preventing reuse of identifiers for [Assignment: organization-defined time period]; and (IA-4d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • This setting will tell the number of unique passwords a user must go through before an old password can be reused. The value can be set between 0 and 24. The default for Windows XP is 0 passwords. The Enforce Password History value should be set to 24 passwords. (Pg 16, NSA Guide to Security Microsoft Windows XP)
  • 24 passwords remembered (Table 1 Column 2 Row 2, Standard 630S1: Authenticator Management, 630S1-02)
  • Preventing reuse of identifiers for [TX-RAMP Assignment: at least two years]; and (IA-4d., TX-RAMP Security Controls Baseline Level 1)
  • Prohibits password reuse for [TX-RAMP Assignment: twenty four] generations; and (IA-5(1)(e), TX-RAMP Security Controls Baseline Level 1)
  • Preventing reuse of identifiers for [TX-RAMP Assignment: at least two years]; and (IA-4d., TX-RAMP Security Controls Baseline Level 2)
  • Prohibits password reuse for [TX-RAMP Assignment: twenty four] generations; and (IA-5(1)(e), TX-RAMP Security Controls Baseline Level 2)