1.3.4 Ensure 'Required Password Change Period' is less than or equal to 90 days

Information

This defines how long a user can use a password before it expires.
Rationale:
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user and guessing the password, or by the user sharing the password.

Solution

Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Required Password Change Period (days) to less than or equal to 90
Impact:
Failure to change administrative passwords can result in a slow "creep" of people who have access. Especially in a situation with high staff turnover (for instance, in a NOC or SOC situation), administrative passwords need to be changed frequently.
Default Value:
Not enabled.

See Also

https://workbench.cisecurity.org/files/1664

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d), CSCv6|5

Plugin: Palo_Alto

Control ID: 07a2f3c4f2b4a2dbbddafd36f302a01b3bc15b0439a9d2f3770950d577ddf75f