1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days

Information

This defines how long a user can use a password before it expires.
Rationale:
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user and guessing the password, or by the user sharing the password.

Solution

Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Required Password Change Period (days) to less than or equal to 90
Impact:
Failure to change administrative passwords can result in a slow "creep" of people who have access. Especially in a situation with high staff turnover (for instance, in a NOC or SOC situation), administrative passwords need to be changed frequently.
Default Value:
Not enabled.

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv6|5, CSCv7|16

Plugin: Palo_Alto

Control ID: 025be2655220466f8f64225afc9cf90db195ddacb5d045d4c5381e5f28eccda2