TOC & Recently Viewed

Recently Viewed Topics

max_password_age

This built-in function ensures that the maximum password age (e.g., the time when users are forced to change their passwords) is in the defined range.

Having a maximum password age prevents users from keeping the same password for multiple years. Changing passwords often helps prevent an attacker possessing a password from using it indefinitely.

Operating System

Implementation

Linux

The variable PASS_MAX_DAYS is defined in /etc/login.defs.

Solaris

The variable MAXWEEKS in /etc/default/passwd defines the maximum number of weeks a password can be used.

HP-UX

This value is controlled by the variable PASSWORD_MAXDAYS in /etc/default/security.

Mac OS X

The option “maxMinutesUntilChangePassword” of the password policy (as set through the pwpolicy tool) can be used to set this value.

Usage

<item>

name: "max_password_age"

description: "This check reports agents that have a system default maximum password age greater than the specified value and agents that do not have a maximum password age setting."

except: "user1" | "user2" (list of users to be excluded)

value: "<min>..<max>"

</item>

Example

<item>

name: "max_password_age"

description: "Make sure a password can not be used for more than 21 days"

value: "1..21"

</item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.