min_password_age

This built-in function ensures that the minimum password age (e.g., the time required before users are permitted to change their passwords) is in the defined range.

Having a minimum password age prevents users from changing passwords too often in an attempt to override the maximum password history. Some users do this to cycle back to their original password, circumventing password change requirements.

Operating System

Implementation

Linux

The variable PASS_MIN_DAYS is defined in /etc/login.defs.

Solaris

The variable MINWEEKS in /etc/default/passwd defines the maximum number of weeks a password can be used.

HP-UX

This value is controlled by the variable PASSWORD_MINDAYS in /etc/default/security.

macOS

This option is not supported.

Usage

<item>

name: "min_password_age"

description: "This check reports agents and users with password history settings that are less than a specified minimum number of passwords."

value: "<min>..<max>"

</item>

Example

<item>

name: "min_password_age"

description: "Make sure a password cannot be changed before 4 days while allowing the user to change at least after 21 days"

value: "4..21"

</item>