This built-in function ensures that the maximum password age (e.g., the time when users are forced to change their passwords) is in the defined range.

Having a maximum password age prevents users from keeping the same password for multiple years. Changing passwords often helps prevent an attacker possessing a password from using it indefinitely.

Operating System



The variable PASS_MAX_DAYS is defined in /etc/login.defs.


The variable MAXWEEKS in /etc/default/passwd defines the maximum number of weeks a password can be used.


This value is controlled by the variable PASSWORD_MAXDAYS in /etc/default/security.

Mac OS X

The option “maxMinutesUntilChangePassword” of the password policy (as set through the pwpolicy tool) can be used to set this value.



name: "max_password_age"

description: "This check reports agents that have a system default maximum password age greater than the specified value and agents that do not have a maximum password age setting."

value: "<min>..<max>"




name: "max_password_age"

description: "Make sure a password can not be used for more than 21 days"

value: "1..21"