Limit password lifespan
Summary
Passwords must be valid for a maximum of 30 days.
Description
The risk of passwords being compromised increases due to new cyber threats attack techniques, and data breaches.
Regularly changing passwords, helps organizations to reduce the window of opportunity for attackers to exploit compromised credentials.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPECâ„¢-49. Password brute forcing
- CIS-5_3. Disable dormant accounts
- CWEâ„¢-263. Password aging with long expiration
- CWEâ„¢-521. Weak password requirements
- CWEâ„¢-640. Weak password recovery mechanism for forgotten password
- CWEâ„¢-1391. Use of Weak Credentials
- NERC CIP-007-6_R5_6. System access control
- MITRE ATT&CK®-M1027. Password policies
- MITRE ATT&CK®-M1036. Account use policies
- PA-DSS-3_1_7. Payment application requires changes to user passwords at least every 90 days
- CMMC-IA_L2-3_5_8. Password reuse
- HITRUST CSF-01_d. User password management
- FedRAMP-IA-5_1. Authenticator management - Password-based authentication
- ISA/IEC 62443-IAC-1_7. Strength of password-based authentication
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- ISA/IEC 62443-CR-1_7-RE_2. Password lifetime restrictions for all users
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- NIST 800-171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created
- CWE TOP 25-287. Improper authentication
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
- C2M2-4_1_d. Establish identities and manage authentication
- PCI DSS-8_3_9. A password or passphrase cannot be used indefinitely
- PCI DSS-8_6_3. Use of application and associated authentication factors is strictly managed
- SIG Lite-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- SIG Core-H_3_1_14. Access control
- SIG Core-H_3_1_15. Access control
- SIG Core-U_1_9_12. Server security
- SANS 25-13. Improper authentication
Vulnerabilities
- 035.Weak credential policy
- 277.Weak credential policy - Password Expiration
- 296.Weak credential policy - Password Change Limit
- 363.Weak credential policy - Password strength
- 364.Weak credential policy - Temporary passwords
- 401.Insecure service configuration - AKV Secret Expiration
- 403.Insecure service configuration - usesCleartextTraffic
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.