max_password_age

This built-in function ensures that the maximum password age (e.g., the time when users are forced to change their passwords) is in the defined range.

Having a maximum password age prevents users from keeping the same password for multiple years. Changing passwords often helps prevent an attacker possessing a password from using it indefinitely.

Operating System

Implementation

Linux

The variable PASS_MAX_DAYS is defined in /etc/login.defs.

Solaris

The variable MAXWEEKS in /etc/default/passwd defines the maximum number of weeks a password can be used.

HP-UX

This value is controlled by the variable PASSWORD_MAXDAYS in /etc/default/security.

macOS

The option “maxMinutesUntilChangePassword” of the password policy (as set through the pwpolicy tool) can be used to set this value.

Usage

<item>

name: "max_password_age"

description: "This check reports agents that have a system default maximum password age greater than the specified value and agents that do not have a maximum password age setting."

value: "<min>..<max>"

</item>

Example

<item>

name: "max_password_age"

description: "Make sure a password can not be used for more than 21 days"

value: "1..21"

</item>