Description: The pwquality difok option sets the number of characters in a password that must not be present in the old password.Rationale:Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Audit: Run the following command to verify that the difok option in /etc/security/pwquality.conf is set to 2 or more: grep -i '^\s*difok\s*=\s*([0-9]*)' /etc/security/pwquality.conf.Remediation:Edit or add the following line in /etc/security/pwquality.conf to a value of 2 or more: difok=2

[difok]

Edit or add the following line in /etc/security/pwquality.conf to a value of 2 or more: difok=2