5.2.7 Ensure Password Age Is Configured

Information

Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users should reset passwords periodically.This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.

Passwords should be changed periodically to reduce exposure.

Solution

Run the following command to require that passwords expire after at most 365 days:

% /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=<value<=525600>"

Impact:

Required password changes will lead to some locked computers requiring admin assistance.

See Also

https://workbench.cisecurity.org/benchmarks/17465