Clearing Password History in Solaris 10

With later releases of the Solaris 10 OE introduces a new parameter HISTORY into the /etc/default/password file. This parameter keeps the previous users passwords to prevent password recycling.

If password history is set and you attempt to reuse a previously used password you receive the following:

# passwd mchurchi
New Password:
passwd: Password in history list.

Please try again
New Password:

To determine if password history is set, simply check for the HISTORY keyword in the /etc/default/passwd file:

# grep "^HISTORY=" /etc/default/password
HISTORY=15

From the above output, password history has been enabled and the last 15 passwords will be remembered for each user.

HISTORY - Determines the length of the history buffer used to ensure that passwords are not repeated within a certain length of time. Setting HISTORY to 12 or 24 is probably good, but you also need to consider how long a new password would have to be kept to determine how long a user would have to wait to reuse a password. If HISTORY were set to 12, but MINWEEKS (see below) set to 0, a person could change his password twelve times in succession and get back to the original.

To disable password history, simply change the HISTORY value to 0

Review article Enforcing password complexity on Solaris for more details on Solaris password options and settings

Clearing Password history

However, occasionally one has to violate best practice to clear password history... here is how to do it:

  1. Grant write permissions to the password history file:
    # chmod 600 /etc/security/passhistory
  2. You can check if the user currently has password history:
    #  grep "^mchurchi" /etc/security/passhistory
    mchurchi:$2a$04$A.vGapPSCtbmXj3B9hYK..7fkgJqpg3YKXFoOt1T.YLBk0xw5p9E.:aMPK0ug.Syoag:Lp145TNOHmdl
    From the above output we confirm that this user has password history entries.
  3. Now, edit the file /etc/security/passhistory and delete the entire line for the users account you wish to change
  4. Reset permissions to read-only for root user on the password history file:
    # chmod 400 /etc/security/passhistory