{"description": "The pam_cracklib module's <tt>difok</tt> parameter controls requirements for\nusage of different characters during a password change. The number of\nchanged characters refers to the number of changes required with respect to\nthe total number of positions in the current password. In other words,\ncharacters may be the same within the two passwords; however, the positions\nof the like characters must be different.\nMake sure the <tt>difok</tt> parameter for the pam_cracklib module is\nconfigured to greater than or equal to <tt><sub idref=\"var_password_pam_difok\" /></tt>.", "rationale": "Requiring a minimum number of different characters during password changes\nensures that newly changed passwords should not resemble previously\ncompromised ones. Note that passwords which are changed on compromised\nsystems will still be compromised, however.", "severity": "medium", "references": {"srg": ["SRG-OS-000072-GPOS-00040"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "difok is not found or not set to the required value", "ocil": "To check how many characters must differ during a password change, run the\nfollowing command:\n<pre># grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so difok=<sub idref=\"var_password_pam_difok\" /></pre>\nThe <tt>difok</tt> parameter will indicate how many characters must differ.\nThe profile requires at least <sub idref=\"var_password_pam_difok\" /> characters differ during a password change.\nThis would appear as <tt>difok=<sub idref=\"var_password_pam_difok\" /></tt>.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Password Strength Minimum Different Characters", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml", "template": {"name": "pam_options", "vars": {"path": "/etc/pam.d/common-password", "type": "password", "control_flag": "requisite", "module": "pam_cracklib.so", "arguments": [{"variable": "difok", "operation": "greater than or equal"}]}, "backends": {}}}