1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days


This defines how long a user can use a password before it expires.


The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user and guessing the password, or by the user sharing the password.


Failure to change administrative passwords can result in a slow 'creep' of people who have access. Especially in a situation with high staff turnover (for instance, in a NOC or SOC situation), administrative passwords need to be changed frequently.

Administrative credentials should not be shared across multiple devices. In a NOC/SOC situation, it's important to not share administrative credentials between operators (names accounts should be used), and in particular administrative credentials should never be shared across different customer infrastructures.


Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Required Password Change Period (days) to less than or equal to 90

Default Value:

Not enabled.

See Also


Item Details


References: 800-53|AC-2(3), CSCv7|4.2, CSCv7|16

Plugin: Palo_Alto

Control ID: 6ddd1fba9c1bb179334e46eb354dd2acffbc865d760893f0c41b4bd3f7cc9665