5.2.7 Password Age

Information

Over time passwords can be captured by third parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically. This control uses 365 days as the acceptable value, some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.

Rationale:

Passwords should be changed periodically to reduce exposure

Impact:

Required password changes will lead to some locked computers requiring admin assistance

Solution

Run the following command to require that passwords expire after at most 365 days:

$ sudo pwpolicy -a <administratoraccount> -setaccountpolicies 'maxMinutesUntilChangePassword=<value<=525600>'

example:

$ sudo pwpolicy -a firstuser -setglobalpolicy 'maxMinutesUntilChangePassword=43200'

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d)

Plugin: Unix

Control ID: 0d5b288e687b68cdb111ac476c9d92e0f02ba0ac6584118ba6cc3e761223e660