{"description": "The <tt>remember</tt> option stores the last n passwords for each user in <tt>/etc/security/opasswd</tt>,\nenforcing password history and preventing users from reusing the same passwords. However, this feature\nrelies on the MD5 password hash algorithm, which is less secure. Instead, the <tt>pam_pwhistory</tt>\nmodule should be used. This module also stores the last n passwords in <tt>/etc/security/opasswd</tt>\nand it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,\noffering enhanced security.", "rationale": "Removing the <tt>remember</tt> argument ensures the use of a stronger password hashing algorithm.\nA more robust hash algorithm increases the difficulty for attackers to crack stored\npasswords in <tt>/etc/security/opasswd</tt>, thereby improving system security and\nprotecting user credentials. ", "severity": "medium", "references": {"cis": ["5.3.3.4.2"]}, "control_references": {"cis": ["5.3.3.4.2"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Avoid using remember in pam_unix module", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml", "template": null}