Back

Configure the "Maximum password age" to organizational standards.


CONTROL ID
07688
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards., CC ID: 07621

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • O17.3: For financial institutions, the organization shall revise passwords at relatively frequent intervals. O105-1.2(6): To protect customers against unauthorized use of their accounts, the organization should notify customers that they should change passwords regularly. T26.2(2): The organization … (O17.3, O105-1.2(6), T26.2(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • OTP time window: Challenge-based and time-based OTPs provide strong security because their period of validity is controlled entirely by the bank and does not depend user behaviour. It is recommended that the banks should not allow the OTP time window to exceed 100 seconds on either side of the serve… (Critical components of information security g) ¶ 2 15. c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Passwords represent the first line of defence, and if not implemented appropriately, they can be the weakest link in the organisation. Thus, the FI should enforce strong password controls over users’ access to applications and systems. Password controls should include a change of password upon fir… (§ 11.1.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • When implementing time-based OTPs, the FI should establish a validity period that is as short as practicable to lower the risk of a stolen OTP being used for fraudulent transactions. (§ 14.2.5, Technology Risk Management Guidelines, January 2021)
  • User accounts are not configured with password never expires or password not required. (Control: ISM-1837; Revision: 0, Australian Government Information Security Manual, June 2023)
  • User accounts are not configured with password never expires or password not required. (Control: ISM-1837; Revision: 0, Australian Government Information Security Manual, June 2024)
  • User accounts are not configured with password never expires or password not required. (Control: ISM-1837; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The organization should ensure users change their passphrases at least every 90 days on systems classified below top secret. (Control: 0423 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must ensure passphrases are changed at least every 90 days on top secret systems. (Control: 0425 Bullet 1, Australian Government Information Security Manual: Controls)
  • Personnel should change all passphrases for a mobile device after they return from overseas travel. (Control: 1300, Australian Government Information Security Manual: Controls)
  • Passwords should be changed at least every 90 days. (§ 3.6.13, Australian Government ICT Security Manual (ACSI 33))
  • Maximum validity of 90 days, minimum validity of 1 day (Section 5.7 IDM-11 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • After 90 days, the user is forced to change the password with the next login. (Section 5.7 IDM-11 Description of additional requirements (confidentiality) ¶ 1 Bullet 6, Cloud Computing Compliance Controls Catalogue (C5))
  • Passwords must be changed when the password is first used and at least every 6 months. For sensitive or judicial data, the password must be changed at least every 3 months. (Annex B.5, Italy Personal Data Protection Code)
  • Automated enforcement for changing passwords should be provided. (§ IV.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization provide automated enforcement for changing passwords? (Table Row IV.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • How often are users required to change their passwords? (Table Row IV.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are administrative accounts changed quarterly with very strong passwords? (Table Row XI.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Passwords should be changed on a regular basis or when the account may have been compromised. (Pg 151, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Users are required to change their passwords every x number of days. If they don't change their passwords at this predetermined time, they will be locked out of the system. (Pg 3, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
  • For all Windows XP environments, this setting should be set to 30 days. (Pg 34, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
  • Configure the "Maximum password age" setting to "90". (FB808B6B-0E37-489B-8588-13194E068FB2, Win7SP1 Domain Security Compliance, 1.0)
  • Configure the "Maximum password age" setting to "60". (A4FE25B9-49BD-42A8-8001-2BF362A30D4C, Win8 Domain Security Compliance, 1.0)
  • Configure the "Maximum password age" setting to "90". (97B7E027-E651-4C71-804E-34F447053F09, WinVistaSP2 Domain Security Compliance, 1.0)
  • Configure the "Maximum password age" setting to "90". (39C5AE9C-E0D6-4803-ABCF-838433408C83, WinXPSP3 Domain Security Compliance, 1.0)
  • Configure the "Maximum password age" setting to "90". (D182DAA2-FD14-418E-BD81-49F663B9EC81, WS2003SP2 Domain Security Compliance, 1.0)
  • Configure the "Maximum password age" setting to "90". (5E43213D-2AB1-443F-AEAE-2F79C75E2E56, WS2008R2SP1 Domain Security Compliance, 1.0)
  • Configure the "Maximum password age" setting to "90". (0F918E73-C8B4-43CD-8D62-A7C19CB7FA73, WS2008SP2 Domain Security Compliance, 1.0)
  • Configure the "Maximum password age" setting to "60". (31AB8B94-16E9-4328-9940-8D7016C2558F, WS2012 Domain Security Compliance, 1.0)
  • (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' Description: This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because … (1.1.2, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 1)
  • (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only) Description: In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and uni… (18.2.6, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 1)
  • (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' Description: This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because … (1.1.2, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 2)
  • (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only) Description: In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and uni… (18.2.6, CIS Microsoft Windows Server 2019 Benchmark, v1.2.1, Level 2)
  • Description: This control defines how many days domain member can use the same password before it expires. Rationale: Enforcing a reasonably short password age will increase the efficacy of password-based authentication systems by reducing the opportunity for an attacker to leverage a known creden… (1.9.17, The Center for Internet Security Microsoft Windows 7 - Enterprise-Desktop Benchmark, 1.1.0)
  • Description: This control defines how many days domain member can use the same password before it expires. Rationale: Enforcing a reasonably short password age will increase the efficacy of password-based authentication systems by reducing the opportunity for an attacker to leverage a known creden… (1.9.17, The Center for Internet Security Microsoft Windows 7 - Enterprise-Laptop Benchmark, 1.1.0)
  • Description: This control defines how many days domain member can use the same password before it expires. Rationale: Enforcing a reasonably short password age will increase the efficacy of password-based authentication systems by reducing the opportunity for an attacker to leverage a known creden… (1.9.17, The Center for Internet Security Microsoft Windows 7 - SSLF-Desktop Benchmark, 1.1.0)
  • Description: This control defines how many days domain member can use the same password before it expires. Rationale: Enforcing a reasonably short password age will increase the efficacy of password-based authentication systems by reducing the opportunity for an attacker to leverage a known creden… (1.9.17, The Center for Internet Security Microsoft Windows 7 - SSLF-Laptop Benchmark, 1.1.0)
  • Title: Set 'Maximum password age' to '60' or less Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this po… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.3_Set_Maximum_password_age_to_60_or_less Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.3.1_, The Center for Internet Security Microsoft Windows 7 Level 1 + BitLocker Benchmark, 2.1.0)
  • Title: Set 'Maximum password age' to '60' or less Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this po… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.3_Set_Maximum_password_age_to_60_or_less Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.3.2_, The Center for Internet Security Microsoft Windows 7 Level 1 + BitLocker Benchmark, 2.1.0)
  • Title: Set 'Maximum password age' to '60' or less Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this po… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.3_Set_Maximum_password_age_to_60_or_less Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.3.1_, The Center for Internet Security Microsoft Windows 7 Level 1 Benchmark, 2.1.0)
  • Title: Set 'Maximum password age' to '60' or less Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this po… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.2.1.4.2.3_Set_Maximum_password_age_to_60_or_less Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.2.1.4.2.3.2_, The Center for Internet Security Microsoft Windows 7 Level 1 Benchmark, 2.1.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.1_, The Center for Internet Security Microsoft Windows 8 Level 1 + BitLocker Benchmark, 1.0.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.1_, The Center for Internet Security Microsoft Windows 8 Level 1 Benchmark, 1.0.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.1_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Domain Controller Benchmark, 1.0.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.2_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Domain Controller Benchmark, 1.0.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.3_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Domain Controller Benchmark, 1.0.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.1_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Member Server Benchmark, 1.0.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.2_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Member Server Benchmark, 1.0.0)
  • Title: Set 'Maximum password age' to '60 or fewer days' Description: This policy setting defines how long a user can use their password before it expires.Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for t… (Rule: xccdf_org.cisecurity.benchmarks_rule_1.1.1.9_Set_Maximum_password_age_to_60_or_fewer_days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_1.1.1.9.3_, The Center for Internet Security Microsoft Windows Server 2012 Level 1 Member Server Benchmark, 1.0.0)
  • User accounts should have their passwords changed at least every 90 days. (Pg 11, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • Account passwords should be set to be changed at least every 90 days. (Pg 11, Pg 13, Pg 14, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • All passwords are changed at least every 90 days, including the Administrator and Guest accounts. (§ 2.1.2, § 2.2.2.2, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • All users should change their passwords at least every 90 days. This includes the Guest and Administrator accounts also. (§ 2.1.2, § 2.2.2.2, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • User accounts should have their passwords changed at least every 90 days. (§ 11, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • Account passwords should be set to be changed at least every 90 days. (§ 11, § 13, § 14, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • All passwords are changed at least every 90 days, including the Administrator and Guest accounts. (§ 2.1.2, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • Passwords must be changed at least every 90 days. (§ 2.2.2.2, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • Passwords should be changed at least every 90 days. (Pg 12, Pg 14, The Center for Internet Security Windows NT Benchmark, 1.0.5)
  • The maximum number of days that a password should be used is 90 days. (Pg 12, Pg 14, The Center for Internet Security Windows NT Benchmark, 1.0.5)
  • The organization must change user passwords on a regular basis. It also states that the requirement to change passwords also provides a practical defense against brute force password attacks. Given the nature of the brute force attack, it will always succeed if there is enough time to eventually gue… (§ 2.1.2, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • The organization must set maximum password age. Maximum and minimum password age requirements are enforced by the logon process. If an account never logs off, it will continue to gain access to resources until the system reboots. (§ 2.2.2.2, § 3.2.1.24, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • The system should be able to force passwords to be changed on a regular basis. (¶ 19.3 Bullet 5, Good Practices For Computerized systems In Regulated GXP Environments)
  • The control system shall provide the capability to enforce password minimum and maximum lifetime restrictions for all users. (5.9.3.2 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide the capability to prevent any given human user account from reusing a password for a configurable number of generations. In addition, the control system shall provide the capability to enforce password minimum and maximum lifetime restrictions for human users. These … (5.9.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide, or integrate into a system that provides, the capability to enforce password minimum and maximum lifetime restrictions for all users. (5.9.3 (2) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Components shall provide, or integrate into a system that provides, the capability to protect against any given human user account from reusing a password for a configurable number of generations. In addition, the component shall provide the capability to enforce password minimum and maximum lifetim… (5.9.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • The organization must change employee passwords regularly. (§ 1a, American Express Data Security Standard (DSS))
  • Change passwords at least every 30 days. Change workstation and server passwords at least every 30 days. (§ 3-3, § 3-8, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days. (§ 8.5.9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Inspect system configuration settings for a sample of system components to verify that user passwords are required to be changed at least every 90 days. (Testing Procedures § 8.2.4.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the internal processes and user or customer documentation from service providers to verify non-consumer user passwords are required to be changed periodically. (Testing Procedures § 8.2.4.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use. (§ 8.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization must ensure it has developed a password and user authentication management program that requires users change their passwords at least every 90 days. For service providers, the customer documentation should be examined to ensure customers are required to change their passwords perio… (§ 8.5.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days. (§ 8.5.9 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • User passwords or passphrases must be changed at least every 90 days. (PCI DSS Requirements § 8.2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Change user passwords/passphrases at least once every 90 days. (8.2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Change user passwords/passphrases at least once every 90 days. (8.2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Change user passwords/passphrases at least once every 90 days. (8.2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are user passwords/passphrases changed at least once every 90 days? (8.2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are user passwords/passphrases changed at least once every 90 days? (8.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are user passwords/passphrases changed at least once every 90 days? (8.2.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are user passwords/passphrases changed at least once every 90 days? (8.2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are user passwords/passphrases changed at least once every 90 days? (8.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are user passwords/passphrases changed at least once every 90 days? (8.2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change. (8.2.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are user passwords/passphrases changed at least once every 90 days? (8.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change. (8.2.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days. (8.2.4.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that: - Non-consumer customer user passwords/passphrases are required to change periodically; and - Non-consumer customer users are given guidance as to when, and u… (8.2.4.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Are user passwords or passphrases changed at least every 90 days? (PCI DSS Question 8.2.4(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are user passwords or passphrases changed at least every 90 days? (PCI DSS Question 8.2.4(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are user passwords or passphrases changed at least every 90 days? (PCI DSS Question 8.2.4(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must be changed. (PCI DSS Question 8.2.4(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The password for the payment gateway system should be changed regularly. (Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The password for the payment gateway system should be changed on a regular basis. (Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • General application security controls must be reviewed when the application's logical access controls are performed, including ensuring passwords are changed according to the organization's policy. (§ 4 (Access Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • Users should be required to change their passwords after the first use in order to prevent misuse and to mitigate any risks associated with interception of the password by unauthorized parties. (§ 3.4.4 ¶ 3, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • All telephone system and voice mail passwords should be changed frequently. (Pg 15-IV-28, Protection of Assets Manual, ASIS International)
  • Access control mechanisms based on passwords should be enforced by automated means that ensure passwords are changed regularly (e.g., every 30 days) and more often for users with special access privileges. (CF.06.04.04f, The Standard of Good Practice for Information Security)
  • Where passwords are used to supplement token authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as changing passwords regularly. (CF.06.05.06-2, The Standard of Good Practice for Information Security)
  • Where passwords are used to supplement biometric authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as changing passwords regularly. (CF.06.06.06-2, The Standard of Good Practice for Information Security)
  • Access control mechanisms based on passwords should be enforced by automated means that ensure passwords are changed regularly (e.g., every 30 days) and more often for users with special access privileges. (CF.06.04.04f, The Standard of Good Practice for Information Security, 2013)
  • Where passwords are used to supplement token authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as changing passwords regularly. (CF.06.05.06-2, The Standard of Good Practice for Information Security, 2013)
  • Where passwords are used to supplement biometric authentication (e.g., to access a physical token or for fall-back purposes), good password practices should be applied, such as changing passwords regularly. (CF.06.06.06-2, The Standard of Good Practice for Information Security, 2013)
  • Passwords should be changed on all systems that have been compromised and other systems with which it interacts with regularly. If a sniffer attack is suspected, passwords may have been compromised on all systems on the LAN, and additional personnel will need to change passwords. (Action 3.7.1, Action 3.7.2, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should configure the system to require all administrative level accounts to change passwords on a frequency that is tied to the complexity of the password. (Critical Control 12.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should verify the passwords for service accounts are changed at least every 90 days. (Critical Control 12.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Non-administrative accounts should be required to have passwords that are changed at least every 90 days. (Critical Control 16.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Passwords should be changed on a regular basis and when there is an indication of compromise. (§ 11.3.1, § 11.5.3, ISO 27002 Code of practice for information security management, 2005)
  • Passwords should be changed at regular intervals. (§ 11.3.1, § 11.5.3, ISO 27002 Code of practice for information security management, 2005)
  • Components shall provide, or integrate into a system that provides, the capability to protect against any given human user account from reusing a password for a configurable number of generations. In addition, the component shall provide the capability to enforce password minimum and maximum lifetim… (5.9.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Components shall provide, or integrate into a system that provides, the capability to enforce password minimum and maximum lifetime restrictions for all users. (5.9.3 (2) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • On UNIX computers or Linux computers that transmit scoped data, is the minimum password expiration at least 90 days? (§ G.16.15, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, is the minimum password expiration at least 90 days? (§ G.16.15, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, is the minimum password expiration at least 90 days? (§ G.16.15, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, is the minimum password expiration at least every 90 days? (§ G.17.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, is the minimum password expiration at least every 90 days? (§ G.17.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, is the minimum password expiration at least every 90 days? (§ G.17.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, is the minimum password expiration at least 90 days? (§ G.18.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, is the minimum password expiration at least 90 days? (§ G.18.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, is the minimum password expiration at least 90 days? (§ G.18.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, is the minimum password expiration at least 90 days? (§ G.19.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, is the minimum password expiration at least 90 days? (§ G.19.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, is the minimum password expiration at least 90 days? (§ G.19.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, is the minimum password expiration at least every 90 days? (§ G.20.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, is the minimum password expiration at least every 90 days? (§ G.20.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, is the minimum password expiration at least every 90 days? (§ G.20.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the password policy for systems that transmit scoped systems and data include a policy to change passwords at regular intervals? (§ H.4.1.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that process scoped systems and data include a policy to change passwords at regular intervals? (§ H.4.1.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that store scoped systems and data include a policy to change passwords at regular intervals? (§ H.4.1.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, is the minimum password expiration configured to at least every 90 days? (§ V.1.72.13, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Passwords for "Classified Sensitive" systems should be changed semiannually. All other system passwords should be changed annually. (§ 2-15.i, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • Passwords must be changed when an individual changes positions, when security is breached, or every 60 days. (CSR 2.9.9(4), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Passwords must be changed at least every 90 days. (Pg 46, C-TPAT Supply Chain Security Best Practices Catalog)
  • The System Administrator should ensure the Maximum Password Age is set to 90 days. Passwords also should be changed when a user has been transferred, discharged, or reassigned. The Information Assurance Officer should ensure all FTP userid passwords are changed every 90 days and have an expiration d… (§ 3.1.6.1, § 3.1.6.3.4, § 3.1.6.3.5, § 8.3, § 12.6.2.1.3.1, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The system administrator should ensure all user passwords, including the root password, are changed at least every 90 days. Passwords for non-interactive/automated processing accounts should be changed at least once a year and whenever an application administrator is reassigned. The root password sh… (§ 3.2.1, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • The Backup and Default Administrator accounts should have their passwords changed at least annually or when an Administrator who knows the password leaves the organization. User passwords should have a maximum password age of 60 days. The computer account password should be changed at a maximum of e… (§ 3.4, § 5.3.3.1, § 5.3.8.21, § 5.7.1.2, § 5.7.1.3, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Administrator and Backup Administrator passwords should be changed on an annual basis or when a user who has access to one of these accounts leaves the organization. The "Maximum password age" value should be set to less than 60 days, but should never be set to 0 days. The "Domain Member:Maximum… (§ 3.1 (3.122), § 3.5.3 (4.011), § 3.5.7 (4.043), § 3.9.1 (4.026), § 3.9.1 (4.018), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • The Administrator and Backup Administrator accounts should have their passwords changed on an annual basis. For all other accounts, the "Maximum Password Age" value should be set to a maximum of 60 days, but should never be set to 0 days. The "Domain Member: Maximum Machine Account Password Age" val… (§ 3.4, § 5.3.3.1, § 5.3.7.17, § 5.7.1.2, § 5.7.1.3, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • If PIN authentication is used for PDAs or Smart phones, the passwords should be changed at least every 90 days. Interview the Information Assurance Officer (IAO) and the Security Administrator to verify the PIN authentication settings for PDAs and Smart phones are configured correctly. (§ 5 (WIR0450), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • If PIN authentication is used for PDAs or Smart phones, passwords should be changed at least every 90 days. Interview the Information Assurance Officer (IAO) and the Security Administrator to verify the PIN authentication settings for PDAs and Smart phones are configured correctly. (§ 5 (WIR0450), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Authenticated login procedures to unlock a wireless e-mail device. When PIN authentication is used, the following procedures will be enforced: The password is changed at least every 90 days. The system security policy must be configured to enforce this policy. (§ 2.2 (WIR1100), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • Passwords should be changed at least every 90 days. The BlackBerry Enterprise Server (BES) should be configured to enforce this policy. If password protection is used with CAC/PKI authentication, changing passwords should not be required. (§ 2.2 (WIR1100, WIR1110), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4)
  • Passwords should be changed at least every 90 days. The BES should be configured to enforce this policy. If password protection is used with CAC/PKI authentication, changing passwords should not be required. (§ 2.2 (WIR1100, WIR1110), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4)
  • § 2.2 (WIR3100) When Password authentication is used for wireless e-mail devices, the passwords should be changed at least every 90 days. App B.1 Row "Password Expires After" under Password Tab - Password Restrictions, should be set to 90 days or less. (§ 2.2 (WIR3100), App B.1 Row "Password Expires After", DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • § 2.2 (WIR3100) If Password authentication is used for wireless e-mail devices, passwords should be changed at least every 90 days. App B.1 Row "Password Expires After" under Password Tab - Password Restrictions, should be set to 90 days or less. § 2.2 (WIR3250) Ensure that all required wireless e… (§ 2.2 (WIR3100), App B.1 Row "Password Expires After", § 2.2 (WIR3250), App B.1 Row "Expiration", DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • § 2.2 (WIR2100) When Password authentication is used for wireless e-mail devices, the passwords should be changed at least every 90 days. App B.3 Row "Password Expiration", located under Policy Manager/Power-on Password, should be set to 90 days. Note: Only available with non-CAC PIN/password logo… (§ 2.2 (WIR2100), App B.3 Row "Password Expiration", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • § 2.2 (WIR2100) If Password authentication is used for wireless e-mail devices, passwords should be changed at least every 90 days. App B.3 Row "Password Expiration", located under Policy Manager/Power-on Password, should be set to 90 days. Note: Only available with non-CAC PIN/password logon. Conf… (§ 2.2 (WIR2100), App B.3 Row "Password Expiration", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • The system must enforce the automatic expiration of passwords. (IAIA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system must enforce the automatic expiration of passwords. (IAIA-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Passwords must be changed at least every 12 months. (§ 8-303.i, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Passwords must be changed at least annually. (§ 8-303.i, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Passwords must be changed at least every 90 days. (Password Protection, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
  • Passwords shall expire inside of 90 calendar days. (§ 5.6.2.1.1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An agency shall change authenticators on a periodic basis. (§ 5.6.3.2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Expire within a maximum of 90 calendar days. (§ 5.6.2.1.1.1 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Be valid for a single session (§ 5.6.2.1.3 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • If not used, expire within a maximum of five (5) minutes after issuance (§ 5.6.2.1.3 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Expire within a maximum of 365 calendar days. (§ 5.6.2.1.2 ¶ 1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Expire within a maximum of 90 calendar days. (§ 5.6.2.1.1.1 ¶ 1 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • If not used, expire within a maximum of five (5) minutes after issuance (§ 5.6.2.1.3 ¶ 2 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Expire within a maximum of 365 calendar days. (§ 5.6.2.1.2 ¶ 1 5., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • If a PIN is used to access a soft certificate which is the second factor of authentication, AND the first factor is a password that complies with the requirements in Section 5.6.2.1.1, then the 365 day expiration requirement can be waived by the CSO. (§ 5.6.2.1.2 ¶ 1 5.a., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Be valid for a single session (§ 5.6.2.1.3 ¶ 2 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use. (Exam Tier II Obj 3.3, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Obtain and review policies and procedures regarding wire transfer password controls to determine if they are adequate. Consider whether: ▪ Management requires operators to change their passwords at reasonable intervals. ▪ Management controls access to master password files ensuring that no one h… (Exam Tier II Obj 9.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d) Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Service accounts passwords shall expire within 366 days (inclusive). (IA-5 (CE-1) h.5.ii., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • One (1) day minimum and 90 days maximum. (IA-5 (CE-1) h.5.i., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Passwords for standard user accounts must be changed at least every 90 days. Passwords for privileged user accounts must be changed at least every 60 days. (Exhibit 4 IA-5, Exhibit 8 Control 02 thru Exhibit 8 Control 04, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Passwords for standard user accounts must be changed at least every 90 days. Passwords for privileged user accounts must be changed at least every 60 days. (Exhibit 8 Control 02, Exhibit 8 Control 03, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the password policy include the frequency of password changes? (IT - General Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are passwords configured with an expiration date? (IT - General Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is there are expiration date for system passwords? (IT - Networks Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The maximum password age setting for Apache's service account should be configured appropriately. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) number of days References: Rule Title: The service account used to run the web service must have its password chang… (CCE-28007-3, Common Configuration Enumeration List, Combined XML: Apache 2.0, 5.20130214)
  • The maximum password age setting for Apache's service account should be configured appropriately. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) number of days References: Rule Title: The service account used to run the web service must have its password chang… (CCE-27868-9, Common Configuration Enumeration List, Combined XML: Apache 2.2, 5.20130214)
  • The 'Maximum password age' setting should be configured correctly. Technical Mechanisms: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property =… (CCE-10562-7, Common Configuration Enumeration List, Combined XML: Microsoft Windows Server 2008 R2, 5.20130214)
  • The "maximum password age" policy should meet minimum requirements. Technical Mechanisms: via /etc/login.defs Parameters: number of days References: Section: 2.3.1.7, Value: 180 CCE-U-8 (CCE-4092-3, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 5, 5.20130214)
  • The "maximum password age" policy should meet minimum requirements. Technical Mechanisms: Use the set-user-password-reqs.fin Finish script Parameters: numeral References: Section: 7.3,Value:91 days CCE-U-8 (CCE-4165-7, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The maximum password age setting for Tomcat's service account should be configured appropriately. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) number of days References: Rule Title: The service account ID used to run the web site will have its password chang… (CCE-27675-8, Common Configuration Enumeration List, Combined XML: Tomcat 4, 5.20130214)
  • The "maximum password age" policy should meet minimum requirements. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) number of days References: CCE-871 All passwords are no more than 90 days old (maximum). Maximum Password Age (90) (CCE-3827-3, Common Configuration Enumeration List, Combined XML: Windows 2000, 5.20130214)
  • The "maximum password age" policy should meet minimum requirements. Technical Mechanisms: (1) defined by Local or Group Policy Parameters: (1) number of days References: CCE-871 Table 2.4 Maximum password age: 42 days (Legacy Client, Enterprise Client, and High Security) 2.1.2 Maximum … (CCE-3530-3, Common Configuration Enumeration List, Combined XML: Windows Server 2003, 5.20130214)
  • The "Maximum password age" setting should be configured correctly. Technical Mechanisms: (1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies) Parameters: References: GPO Settings: Computer Configuration/Win… (CCE-2200-4, Common Configuration Enumeration List, Combined XML: Windows Server 2008, 5.20130214)
  • The verifier SHALL use approved encryption and an authenticated protected channel when collecting the OTP in order to provide resistance to eavesdropping and MitM attacks. Time-based OTPs [RFC 6238] SHALL have a defined lifetime that is determined by the expected clock drift — in either direction … (5.1.5.2 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The verifier SHALL use approved encryption and an authenticated protected channel when collecting the OTP in order to provide resistance to eavesdropping and MitM attacks. Time-based OTPs [RFC 6238] SHALL have a defined lifetime that is determined by the expected clock drift — in either direction … (5.1.4.2 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL … (5.1.1.2 ¶ 9, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Passwords on all WLAN components should be changed on a regular basis. (Table 8-5 Item 48, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • When deciding on the password lifetime, the organization should balance the security of a short lifetime against the burden of remembering new passwords when they are changed too often. (§ 3.2.3, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • (§ 3.11.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • All passwords are changed at least every 90 days, including the Administrator and Guest accounts. (§ 6.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • For all Windows XP environments, this setting should be set to 30 days. (§ 6.2.3, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • Organizational records and documents should be examined to ensure passwords are set to a maximum lifetime. Test the password settings to ensure passwords have a maximum lifetime. (IA-5.1, IA-5.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1) ¶ 1(d) Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1) ¶ 1(d) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1) ¶ 1(d) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Passwords shall be changed on a regular basis. (SG.AC-21 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must manage system authenticators for devices and users by establishing minimum and maximum lifetime restrictions and reuse conditions for the authenticators. (App F § IA-5.f, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must manage system authenticators for devices and users by changing the authenticator on a predefined frequency. (App F § IA-5.g, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should a minimum and maximum lifetime restriction, for password-based authentication. (App F § IA-5(1)(d), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by changing/refreshing authenticators {organizationally documented time period by authenticator type}. (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces password minimum and maximum lifetime restrictions of {organizationally documented numbers for lifetime maximum}. (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by changing/refreshing authenticators {organizationally documented time period by authenticator type}. (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces password minimum and maximum lifetime restrictions of {organizationally documented numbers for lifetime maximum}. (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by changing/refreshing authenticators {organizationally documented time period by authenticator type}. (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces password minimum and maximum lifetime restrictions of {organizationally documented numbers for lifetime maximum}. (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization manages information system authenticators by changing/refreshing authenticators {organizationally documented time period by authenticator type}. (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, for password-based authentication enforces password minimum and maximum lifetime restrictions of {organizationally documented numbers for lifetime maximum}. (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (IA-5(1)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; (IA-5g., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • This setting defines how long users are allowed to use their passwords before they expire. The values for this setting can range from 1 to 999 days. A 0 means the password will never expire. The default value is 42 days. The Maximum password age value should be set to 90 days. (Pg 16, NSA Guide to Security Microsoft Windows XP)
  • This setting controls the number of days before a computer changes it password. The Domain Member: Maximum Machine Account Password Age setting should be set to 30 days, which is the default value. (Pg 47, NSA Guide to Security Microsoft Windows XP)
  • Set expiration times for interactive database user account passwords to 60 days or less where supported by the DBMS. (DATABASE SECURITY IDENTIFICATION AND AUTHENTICATION: Password Attributes: ¶ 5, Guideline 661G1: Application Security, 661G1-01)
  • Set expiration times for non-interactive database application account passwords to 365 days or less where supported by the DBMS. (DATABASE SECURITY IDENTIFICATION AND AUTHENTICATION: Password Attributes: ¶ 6, Guideline 661G1: Application Security, 661G1-01)
  • 60 days (Table 1 Column 2 Row 4, Standard 630S1: Authenticator Management, 630S1-02)
  • assignment, to each individual with computer and Internet access to data compiled or maintained by such company, of passwords that are not vendor-assigned default passwords and that require resetting not less than every six months and of unique user identifications, that are designed to maintain the… (§ 38a-999b(b)(2)(B)(ii), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., TX-RAMP Security Controls Baseline Level 1)
  • Enforces password minimum and maximum lifetime restrictions of [TX-RAMP Assignment: one day minimum, sixty day maximum]; (IA-5(1)(d), TX-RAMP Security Controls Baseline Level 1)
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; (IA-5f., TX-RAMP Security Controls Baseline Level 2)
  • Enforces password minimum and maximum lifetime restrictions of [TX-RAMP Assignment: one day minimum, sixty day maximum]; (IA-5(1)(d), TX-RAMP Security Controls Baseline Level 2)