1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days

Information

This defines how long a user can use a password before it expires.

Rationale:

The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user and guessing the password, or by the user sharing the password.

Impact:

Failure to change administrative passwords can result in a slow 'creep' of people who have access. Especially in a situation with high staff turnover (for instance, in a NOC or SOC situation), administrative passwords need to be changed frequently.

Administrative credentials should not be shared across multiple devices. In a NOC/SOC situation, it's important to not share administrative credentials between operators (names accounts should be used), and in particular administrative credentials should never be shared across different customer infrastructures.

Solution

Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Required Password Change Period (days) to less than or equal to 90

Default Value:

Not enabled.

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|4.4

Plugin: Palo_Alto

Control ID: 65df1ef0daaf7748af43b6d085b914866e80d003c504d7396f48f7c21a67237b