Linux: Prevent From Using Or Reuse Same Old Passwords

PAM is a flexible mechanism for authenticating users. For example, you do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_unix2 (part of certain enterprise distro) PAM module. In this quick, blog post I am going to explain how to restrict use of previous passwords using

More about pam_unix/pam_unix2 module

This is the standard Unix authentication module. It uses standard calls from the system’s libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.

This module provides functionality for PAM modules such as authentication, account management and more. Same module can be used to maintain a list of old passwords for every user. This is useful if you want to disallow use of old passwords. The old password list is located in the /etc/security/opasswd file.

Configuration files

You need to edit the following files:

  1. /etc/login.defs – Shadow password suite configuration
  2. /etc/pam.d/common-auth – OpenSuse/Suse Enterprise Linux pam config file.
  3. /etc/pam.d/system-auth – CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
  4. /etc/pam.d/common-password – Debian / Ubuntu Linux pam config file.
  5. /etc/security/opasswd – Store old passwords.

Finding or file location

Type the following find command:

#* NOTE on a Linux (modern version) distro you do not need to set a full path *#
## 64 bit distro ##
find / -iname ""
find / -iname ""
## 32 bit distro ##
find / -iname ""
find / -iname ""

Sample outputs:

Fig. 01: Finding pam_unix full path on a Linux.

Fig. 01: Finding pam_unix full path on a Linux.

Step:1 – HowTo limit password reuse on Linux

Open your /etc/pam.d/common-password file on a Debian / Ubuntu Linux, run:
# # cp /etc/pam.d/common-password /root/common-password.bak
vi /etc/pam.d/common-password

If you are using CentOS / RHEL / RedHat / Fedora Linux, edit /etc/pam.d/system-auth file, run:
# cp /etc/pam.d/system-auth /root/system-auth.bak
# vi /etc/pam.d/system-auth

OpenSUSE/SUSE Linux user, edit /etc/pam.d/common-auth, run:
# cp /etc/pam.d/common-auth /root/common-auth.bak
# vi /etc/pam.d/common-auth

Edit/add password line and append remember=13 to prevent a user from re-using any of his or her last 13 passwords:
password sufficient use_authtok md5 shadow remember=13

IF you are using, update it as follows:
password sufficient use_authtok md5 shadow remember=13

Save and close the file. Please note that the last 13 passwords for each user are saved in /etc/security/opasswd file in order to force password change history and keep the user from alternating between the same password too frequently.

Step:2 – Enable password aging

Edit /etc/login.defs, enter:

In this example, is configured to remember 13 passwords. User can not use the same password for at least 3 months (13*7=91 days = 3 months)

# vi /etc/login.defs
Set the minimum number of days (PASS_MIN_DAYS=7) allowed between password changes:

### Minimum number of 7 days before a user can change the password since the last change ###

Save and close the file.

Step:3 – /etc/security/opasswd

If the file /etc/security/opasswd does not exist, create the file using touch or shell redirection command:
# [ ! -f /etc/security/opasswd ] && touch /etc/security/opasswd
# [ ! -f /etc/security/opasswd ] && >/etc/security/opasswd
Use the following ls command to verify file permissions:
# ls -lZ /etc/security/opasswd
Sample outputs from RHEL SELinux enabled systems:

-rw-------. root root system_u:object_r:shadow_t:s0    /etc/security/opasswd

Test it

Linux based system will remember last 13 passwords. If user tries to use any one of the last 13 old passwords, he/she will get an error message as follows on screen:
Password has been already used. Choose another.

And there you have it. The configured to the number of previous passwords that cannot be reused. I also suggest that you use the pam_cracklib Linux pam module to set password quality requirements.

See also:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • frank May 2, 2008 @ 3:10

    it does not work on my centos5… i tried to change my user password and tried use again my old password but it does not warn me that i already used my current password.

    did i miss anything?

  • Rahul Panwar Aug 3, 2009 @ 14:24

    Hi Vivek,
    I am a fan of your website, Thanks for posting such interesting topics. I am working on Linux security, using linux applications. Your website is very helpful for me. I always give it first preference when i found your website link.

    Ok, Now Can you please tell that it is possible to verify a new password has not been used in the last six months.

    Thanks & Regards
    Rahul Panwar

  • Sanchit Matta Jan 9, 2013 @ 19:28

    it does not work on my centos,actually after appending remember=10 still the /etc/security/opasswd file is empty….?

  • Mukhtar Sep 3, 2013 @ 20:04

    very informative, keep mailing us

  • Hajimuz Aug 31, 2016 @ 3:45 on SLES11 does not support md5, shadow, or remember paramenters.
    Use pam-config --verify before posting this.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum