Accounts With Never Expiring Passwords



Active Directory accounts should follow a global password renewal policy that prohibits them from going indefinitely without changing their passwords.


A password expiration policy limits the risk of an attacker guessing or cracking a password before it changes. All user and administrator accounts must follow this policy without exception.
Service accounts can pose a challenge as they require special attention. In case the password of a service account expires and the application developer has not updated it, the service might stop functioning properly. To avoid such an interruption, a specific process must be in place to regularly update the password manually.

See Also

Best Practices for Enforcing Password Policies

Configuring Password Policies

Indicator Details

Name: Accounts With Never Expiring Passwords


Severity: Medium

MITRE ATT&CK Information:

Tactics: TA0004, TA0001, TA0003

Techniques: T1078

Attacker Known Tools

Gentil Kiwi: mimikatz