This post gives practical, technical steps you can follow on Windows (Domain and local), Linux (PAM), and macOS (local and MDM) to enforce password complexity and require a meaningful change to password characters — addressing NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control IA.L2-3.5.7 — with examples geared to small-business realities.
Windows (Active Directory domain and local machines)
For domain-joined Windows environments, implement password policies via Group Policy or PowerShell to set minimum length, complexity, history, and age. In a typical AD deployment use Group Policy Management: Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy. Recommended baseline settings for CUI-handling small orgs: Minimum password length 12–14, Password must meet complexity requirements = Enabled, Enforce password history = 24, Maximum password age = 90 days, Minimum password age = 1 day. From the AD PowerShell module you can set domain defaults: Set-ADDefaultDomainPasswordPolicy -Identity contoso -MinPasswordLength 14 -ComplexityEnabled $true -PasswordHistoryCount 24 -MaxPasswordAge (New-TimeSpan -Days 90) -MinPasswordAge (New-TimeSpan -Days 1). For local (non-domain) Windows hosts, use Local Security Policy (secpol.msc) or the legacy net accounts for scripted changes: net accounts /minpwlen:14 /uniquepw:24 /maxpwage:90. Note: native Windows enforces complexity classes and history but does not provide a built‑in "difok" (minimum number of changed characters) setting — to require a minimum number of changed characters you can deploy Azure AD Password Protection (blocks similar/bad passwords) or a third‑party password filter (e.g., Specops Password Policy or a Microsoft-compatible password filter DLL) to enforce character-difference rules.
Linux (PAM: pam_pwquality / pam_cracklib)
On Linux, PAM provides the strongest native control to require actual character changes between old and new passwords. Use pam_pwquality (modern) or pam_cracklib (older) and configure /etc/security/pwquality.conf (or /etc/pam.d/*) with explicit parameters. Example settings in /etc/pam.d/common-password (Debian/Ubuntu) or /etc/pam.d/system-auth (RHEL/CentOS): password requisite pam_pwquality.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 enforce_for_root. Key options: minlen (minimum length), the credit options require classes (digits, upper, lower, other), and difok=4 requires at least four characters in the new password to differ from the old one — exactly the behavior NIST-style controls expect to prevent trivial password edits. Also enable use_authtok where applicable and integrate with LDAP/SSSD if accounts are centralized (ensure the central system enforces the same policy). After changes, test with a non-admin account and check /var/log/auth.log (or /var/log/secure) to confirm enforcement.
macOS (local pwpolicy, MDM and enterprise options)
macOS supports password policy configuration via the pwpolicy tool locally and — more importantly for fleets — via an MDM (Jamf, Intune, Profile Manager). A simple local command example to require length and classes is: pwpolicy -setglobalpolicy "minChars=14 requiresAlpha=1 requiresNumeric=1 requiresMixedCase=1 requiresSymbol=1 usingHistory=5". This enforces complexity and history, but local pwpolicy's capabilities for enforcing a minimum number of changed characters are limited compared to PAM's difok. For fleet enforcement and character-difference behavior, prefer an MDM profile (Configuration Profile Restrictions/Password payload) or bind Macs to Active Directory so domain policy cascades (keeping in mind AD itself lacks difok). For organizations needing strict character-change enforcement on macOS, consider using an MDM that can run a pre-change check script or integrate with a centralized identity provider (Azure AD with Azure AD Password Protection, or a PAM/SSO solution) to enforce advanced rules centrally.
Small-business implementation scenarios
Example 1 (25-seat manufacturing firm): Use AD GPO to set domain password policy to 14 chars, complexity enabled, history = 24, max age = 180 days; deploy Azure AD Password Protection for Office 365 accounts; onboard Macs via Jamf with a policy that mirrors complexity and history; configure Linux build server PAM with difok=4. Example 2 (hybrid contractor with a handful of Linux servers and cloud identities): Enforce PAM policies on Linux hosts, enforce Azure AD password protection for Office 365 and Azure resources, and for unmanaged macOS endpoints require a password manager and MFA as compensating controls when difok cannot be centrally enforced.
Compliance tips and best practices
1) Document the policy and map settings to IA.L2-3.5.7 in your System Security Plan (SSP). 2) Prefer centralized enforcement: domain policies, LDAP/SSSD, or MDM so endpoints cannot deviate. 3) Combine complexity + history + a difok-equivalent where available (Linux PAM or third-party filters) — and always add MFA as a compensating control to reduce reliance on password strength alone. 4) Use password managers to reduce reuse and help users comply with longer passphrases. 5) Audit and log password policy failures and password-change attempts; keep these logs for your compliance evidence. 6) Where native OS controls are insufficient (Windows/macOS difok), evaluate vetted third-party password filters or Azure AD Password Protection to prevent trivial edits that defeat history checks.
Risk of not implementing IA.L2-3.5.7
Failure to enforce complexity and meaningful character changes increases the risk of credential compromise through brute-force, dictionary attacks, and trivial password variations (Password1→Password2). Attackers exploiting weak or minimally-changed passwords enable lateral movement, privilege escalation, and exfiltration of CUI — and noncompliance can lead to contract penalties, failed audits, and loss of federal contracts for organizations subject to DFARS/CMMC requirements.
In summary, meet IA.L2-3.5.7 by combining native OS controls (GPO, pam_pwquality, pwpolicy), centralized identity protection (Azure AD Password Protection or equivalent), and where needed third-party password filters to enforce minimum-character-change rules; document settings in your SSP, deploy via GPO/MDM, test thoroughly, and pair password controls with MFA and password manager adoption to get the strongest practical defense for small-business environments.
