7.4 Set 'default_password_lifetime' to Require a Yearly Password Change

Information

Password expiry provides passwords with a time bounded lifetime.

Rationale:

The default_password_lifetime global variable prevents a password being set for an indefinite period. Excessive password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. More importantly, when events occur that could compromise password security account passwords should be expired immediately.

Impact:

Scripted clients or users dependent on automated login in a controlled environment will need to consider their authentication procedures. The server will accept the user but the user is placed in restricted mode. In restricted mode, operations performed within the session result in an error until the user establishes a new account password.

Solution

To remediate this recommendation, execute the following command:

SET GLOBAL default_password_lifetime=365;

Default Value:

360

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.10

Plugin: MySQLDB

Control ID: 58ce6eb22be41e4134ca560216390211782a7ffd221ca789bb9258a732e966e9