Weak Password Policy - Minimum Age

Enforcing password history is a common safeguard against weak or previously compromised passwords. However, if the minimum password age is set too low, users can bypass this protection by rapidly cycling through temporary passwords to reuse an old one, thereby increasing the risk of unauthorized access to accounts and sensitive data.

Tenable Identity Exposure analyzes password policies as follows:

• It evaluates the setting's value only if the setting is enabled.
• For the Default Policy, it reports the setting as misconfigured if it is either disabled or has an insecure value. This is because the Default Policy acts as a fallback and should define all relevant settings with secure values as a last-resort safeguard.

Tenable Identity Exposure analyzes disabled password policies only when the corresponding IOE parameter is also disabled.

You must set the minimum password age to a higher value in the reported password policy.

Okta recommends a typical minimum password age of one hour (60 minutes), which is also the default setting in this Indicator of Exposure. Tenable advises selecting a value that aligns with your organization's risk tolerance, as well as the relevant industry standards and regulatory requirements for your sector and location. Be mindful of the impact on end-user experience, as users will need to wait for the minimum duration before they can change their password again.

Next, configure the optimal value in the IOE parameter.

Refer to Okta’s official documentation for guidance on how to configure correctly the reported password policy.

Name: Weak Password Policy - Minimum Age

Codename: WEAK-PASSWORD-POLICY-MINIMUM-AGE-OKTA

Severity: Low

Type: Okta Indicator of Exposure