Information
This defines how long a user can use a password before it expires.
Rationale:
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user and guessing the password, or by the user sharing the password.
Impact:
Failure to change administrative passwords can result in a slow 'creep' of people who have access. Especially in a situation with high staff turnover (for instance, in a NOC or SOC situation), administrative passwords need to be changed frequently.
Administrative credentials should not be shared across multiple devices. In a NOC/SOC situation, it's important to not share administrative credentials between operators (names accounts should be used), and in particular administrative credentials should never be shared across different customer infrastructures.
Solution
Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Required Password Change Period (days) to less than or equal to 90
Default Value:
Not enabled.