Limit password lifespan
Summary
Passwords must be valid for a maximum of 30 days.
Description
The risk of passwords being compromised increases due to new cyber threats attack techniques, and data breaches. Regularly changing passwords, helps organizations to reduce the window of opportunity for attackers to exploit compromised credentials.
References
- CAPEC-49. Password brute forcing
- CIS-5_3. Disable dormant accounts
- CWE-263. Password aging with long expiration
- CWE-521. Weak password requirements
- CWE-640. Weak password recovery mechanism for forgotten password
- CWE-1391. Use of Weak Credentials
- NERCCIP-007-6_R5_6. System access control
- MITRE-M1027. Password policies
- MITRE-M1036. Account use policies
- PADSS-3_1_7. Payment application requires changes to user passwords at least every 90 days
- CMMC-IA_L2-3_5_8. Password reuse
- HITRUST-01_d. User password management
- FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
- IEC62443-IAC-1_7. Strength of password-based authentication
- IEC62443-CR-1_7. Strength of password-based authentication
- IEC62443-CR-1_7-RE_2. Password lifetime restrictions for all users
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- NIST800171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created
- CWE25-287. Improper authentication
- NIST800115-5_1. Password cracking
- SWIFTCSC-4_1. Password policy
- C2M2-4_1_d. Establish identities and manage authentication
- PCI-8_3_9. A password or passphrase cannot be used indefinitely
- PCI-8_6_3. Use of application and associated authentication factors is strictly managed
- SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- SIG-H_3_1_14. Access control
- SIG-H_3_1_15. Access control
- SIG-U_1_9_12. Server security
- SANS25-13. Improper authentication
Weaknesses
- 035. Weak credential policy
- 277. Weak credential policy - Password Expiration
- 296. Weak credential policy - Password Change Limit
- 363. Weak credential policy - Password strength
- 364. Weak credential policy - Temporary passwords
- 401. Insecure service configuration - AKV Secret Expiration
- 403. Insecure service configuration - usesCleartextTraffic
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.