max_password_age
This built-in function ensures that the maximum password age (e.g., the time when users are forced to change their passwords) is in the defined range.
Having a maximum password age prevents users from keeping the same password for multiple years. Changing passwords often helps prevent an attacker possessing a password from using it indefinitely.
Operating System |
Implementation |
---|---|
Linux |
The variable PASS_MAX_DAYS is defined in |
Solaris |
The variable MAXWEEKS in |
HP-UX |
This value is controlled by the variable PASSWORD_MAXDAYS in |
macOS |
The option “maxMinutesUntilChangePassword” of the password policy (as set through the |
Usage
<item>
name: "max_password_age"
description: "This check reports agents that have a system default maximum password age greater than the specified value and agents that do not have a maximum password age setting."
value: "<min>..<max>"
</item>
Example
<item>
name: "max_password_age"
description: "Make sure a password can not be used for more than 21 days"
value: "1..21"
</item>