Title

Maximum password age does not meet minimum requirements. (Cat II impact)

Discussion

Requirement: The IAO will ensure that all user passwords are changed at intervals of 90 days or less. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text

Ensure password life is no greater than 90 (180) days from the last password change.

Additional Identifiers

Rule ID: SV-8448r1_rule

Vulnerability ID: V-7962

Group Title: Max password age does not meet minimum requirement

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.