TOC & Recently Viewed

Recently Viewed Topics


This built-in function ensures that the maximum password age (e.g., the time when users are forced to change their passwords) is in the defined range.

Having a maximum password age prevents users from keeping the same password for multiple years. Changing passwords often helps prevent an attacker possessing a password from using it indefinitely.

Operating System



The variable PASS_MAX_DAYS is defined in /etc/login.defs.


The variable MAXWEEKS in /etc/default/passwd defines the maximum number of weeks a password can be used.


This value is controlled by the variable PASSWORD_MAXDAYS in /etc/default/security.

Mac OS X

The option “maxMinutesUntilChangePassword” of the password policy (as set through the pwpolicy tool) can be used to set this value.



name: "max_password_age"

description: "This check reports agents that have a system default maximum password age greater than the specified value and agents that do not have a maximum password age setting."

except: "user1" | "user2" (list of users to be excluded)

value: "<min>..<max>"




name: "max_password_age"

description: "Make sure a password can not be used for more than 21 days"

value: "1..21"


Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.