1.5 Ensure Password Expiration is set to 90 days

Information

The number of days for which a password is valid. After that time, the password expires. The count starts when the user changes their passwords. Users are required to change an expired password the next time they log in. If set to never, passwords do not expire. Does not apply to SNMP users.

Rationale:

The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity.

Solution

Run the following command to set the history-length setting.
CLI:

Hostname>set password-controls history-length 90

GUI:

Navigate to User Management > Password Policy > Mandatory Password Changes: Password Expiration:
Set 'Password expires after' setting to 90 or less

Default Value:

Password never expire

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d)

Plugin: CheckPoint

Control ID: 47f94c88ccef5c4de06b731cc3f7f232ba28f39dae90d245a2aeeadee7978995