1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting defines how long a user can use their password before it expires.

Values for this policy setting range from 0 to 999 days.

If you set the value to 0, the password will never expire.

Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password.

However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current.

The recommended state for this setting is '60 or fewer days, but not 0'.

Solution

To establish the recommended configuration via GP, set the following UI path to '60 or fewer days, but not 0:'

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age

See Also

https://workbench.cisecurity.org/files/1941

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv6|16.5

Plugin: Windows

Control ID: f35a8dbd68fc40c1e4be8953ca18d20acc667a8128ae0e592aaea18bb114a6d7