4.2.3 maxage

Information

Defines the maximum number of weeks that a password is valid.

Rationale:

The maxage attribute enforces regular password changes. We recommend this to be 13 or less, but not 0 which disables this setting.

Impact:

Historically, this recommendation has been to set maxage=13. In recent years several communities (e.g., Windows, DoD) have concluded that too frequent forced password changes leads to both weaker passwords and weaker/bad password discipline.

An initial proposal to increase the maxage to 52 is not unnamimous within the AIX community - so the recommendation, for now, remains at 13.

Local Policy may decide to follow the other communities and set this value as 52.

Due to this lack of consensus this control is being set at Level 2.

The value chosen by an organization is to maintain overall password quality and secrecy.

Solution

In /etc/security/user, set the default user stanza maxage attribute to a number greater than 0 but less than or equal to 13:

chsec -f /etc/security/user -s default -a maxage=13

This means that a user password must be changed 13 weeks after being set. If 0 is set then this effectively disables password ageing.

Default Value:

maxage=0

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 28c498f79d01812575adb8d75168d91ae460e2f375a5ef513697f20cff2fa085