800-53|IA-5(1)(d)

Title

PASSWORD-BASED AUTHENTICATION

Description

Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];

Reference Item Details

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.8 Set 'Minimum password age' to '1 or more day(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.9 Set 'Maximum password age' to '60 or fewer days'WindowsCIS Windows 8 L1 v1.0.0
1.1.2 - /etc/security/user - 'minage >= 1'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.1.3 - /etc/security/user - 'maxage <= 13' but not 0UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.1.3.5.4 Set 'Domain member: Maximum machine account password age' to '30 or fewer day(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.10 - /etc/security/user - 'maxexpired <= 2'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.2 Password Security Policy - f) The validity period of an account can be configuredZTE_ROSNGTenable ZTE ROSNG
1.3.4 Ensure 'Required Password Change Period' is less than or equal to 90 daysPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.3.4 Ensure 'Required Password Change Period' is less than or equal to 90 daysPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.5 Ensure Password Expiration is set to 90 daysCheckPointCIS Check Point Firewall L1 v1.1.0
2.2 Do Not Specify Passwords in Command Line - HistoryUnixCIS MySQL 5.7 Enterprise Linux OS L1 v1.0.0
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
2.4 Password Security - 'maximum password age <= 90'NetAppTNS NetApp Data ONTAP 7G
2.4 Password Security - 'minimum password age >= 1'NetAppTNS NetApp Data ONTAP 7G
2.8 Set 'Password Expiration' to '90' or lessWindowsCIS Microsoft Exchange Server 2016 CAS v1.0.0
2.8 Set 'Password Expiration' to '90' or lessWindowsCIS Microsoft Exchange Server 2013 CAS v1.1.0
3.1.2 /etc/security/user - minageUnixCIS IBM AIX 7.1 L1 v1.1.0
3.1.3 /etc/security/user - maxageUnixCIS IBM AIX 7.1 L1 v1.1.0
3.1.10 /etc/security/user - maxexpiredUnixCIS IBM AIX 7.1 L1 v1.1.0
3.4 - Login and Password Parameters - Password Expiration Time <=90 daysNetapp_APINetApp Security Hardening Guide for ONTAP 9 v1.7.0
3.4 - Login and Password Parameters - Password expiration warningNetapp_APINetApp Security Hardening Guide for ONTAP 9 v1.7.0
4.2 Ensure the vpxuser account's password is automatically changed every 10 or fewer daysVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
4.011 - Maximum password age does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.012 - Minimum password age does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.026 - To the extent system capabilities permit, system mechanisms are not implemented to enforce automatic expiration of passwords.WindowsDISA Windows Vista STIG v6r41
5.2.7 Password AgeUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
5.2.7 Password AgeUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
5.2.7 Password AgeUnixCIS Apple macOS 10.12 L1 v1.2.0
10.1.1 Set Password Expiration DaysUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
10.1.1 Set Password Expiration DaysUnixCIS Debian Linux 7 L1 v1.0.0
10.1.2 Set Password Change Minimum Number of DaysUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
10.1.2 Set Password Change Minimum Number of DaysUnixCIS Debian Linux 7 L1 v1.0.0
10.1.3 Set Password Expiring Warning DaysUnixCIS Debian Linux 7 L1 v1.0.0
10.1.3 Set Password Expiring Warning DaysUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0