Information
The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force
passwords to expire once they reach a defined age. It is recommended that the
PASS_MAX_DAYS parameter be set to less than or equal to 365 days.
Rationale:
The window of opportunity for an attacker to leverage compromised credentials or
successfully compromise credentials via an online brute force attack is limited by the age of
the password. Therefore, reducing the maximum age of a password also reduces an
attacker's window of opportunity.
Solution
Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs :
PASS_MAX_DAYS 365
Modify user parameters for all users with a password set to match:
# chage --maxdays 365 <user>
Notes:
You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less
for all users with a password.
Note: A value of -1 will disable password expiration. Additionally the password expiration
must be greater than the minimum days between password changes or users will be unable
to change their password.