pam_pwhistory

```pam_pwhistory.so [options]```

remember={N}
    Remember the last N passwords. Defaults to 24.

retry={N}
    Retry the password change N times if the password is in the history. Defaults to 1.

difok={N}
    Require at least N characters to be different between the old and new passwords. Defaults to 7.

enforce_for={user|uid}
    Enforce history check for a specific user or UID. This can be specified multiple times.

store_user={username}
    Specifies the username under which the history file should be stored, which allows sharing histories across multiple logins. By default user is used.

file={path}
    Specifies the location of the password history file. Defaults to `/etc/security/opasswd` for root and `/home//.opasswd` for other users.

obscure
    Suppress the display of the old password when the password prompt is displayed during the password change process.

use_authtok
    If the password change is triggered by an authentication token being available, such as through `pam_unix`, use the available token rather than prompting for a new password.

debug
    Log debugging information to syslog.

The `pam_pwhistory` PAM module prevents users from reusing recently used passwords. It compares the new password against a history of old passwords stored in an encrypted file. This module enhances system security by enforcing password diversity, making it harder for attackers to compromise accounts using previously known credentials.

The module's behaviour is configurable through various options such as the number of passwords to store in the history file, the location of the history file, and whether to deny password changes if the new password is too similar to an old one. Using this module correctly helps satisfy compliance requirements for password management.

The password history file is stored in a protected directory and encrypted, however it is still vulnerable if an attacker gains root access.

To require users to remember the last 12 passwords and ensure that the new password differs by at least 5 characters from the old ones, add the following line to the `/etc/pam.d/common-password` file:```password required pam_pwhistory.so remember=12 difok=5```

The `pam_pwhistory` module has been available in PAM distributions for a long time and has evolved with security best practices. It's a crucial component for organizations aiming to comply with password security policies. The usage has increased as companies focus on security best practices to adhere to compliance standards and reduce the risk of credential-based attacks.

pam(8), pam_unix(8), passwd(1)