130 – Limit password lifespan

Summary

Passwords must be valid for a maximum of 30 days.

Description

The risk of passwords being compromised increases due to new cyber threats attack techniques, and data breaches. Regularly changing passwords, helps organizations to reduce the window of opportunity for attackers to exploit compromised credentials.

Supported In

Essential: True

Advanced: True

References

• CAPEC-49. Password brute forcing
• CIS-5_3. Disable dormant accounts
• CWE-263. Password aging with long expiration
• CWE-521. Weak password requirements
• CWE-640. Weak password recovery mechanism for forgotten password
• CWE-1391. Use of Weak Credentials
• NERCCIP-007-6_R5_6. System access control
• MITRE-M1027. Password policies
• MITRE-M1036. Account use policies
• PADSS-3_1_7. Payment application requires changes to user passwords at least every 90 days
• CMMC-IA_L2-3_5_8. Password reuse
• HITRUST-01_d. User password management
• FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
• IEC62443-IAC-1_7. Strength of password-based authentication
• IEC62443-CR-1_7. Strength of password-based authentication
• IEC62443-CR-1_7-RE_2. Password lifetime restrictions for all users
• ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
• PTES-5_5_3. Vulnerability analysis - Common/default passwords
• NIST800171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created
• CWE25-287. Improper authentication
• NIST800115-5_1. Password cracking
• SWIFTCSC-4_1. Password policy
• C2M2-4_1_d. Establish identities and manage authentication
• PCI-8_3_9. A password or passphrase cannot be used indefinitely
• PCI-8_6_3. Use of application and associated authentication factors is strictly managed
• SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
• SIG-H_3_1_14. Access control
• SIG-H_3_1_15. Access control
• SIG-U_1_9_12. Server security
• SANS25-13. Improper authentication

Weaknesses

• 277 – Weak credential policy - Password Expiration
• 296 – Weak credential policy - Password Change Limit
• 363 – Weak credential policy - Password strength
• 364 – Weak credential policy - Temporary passwords
• 401 – Insecure service configuration - AKV Secret Expiration
• 403 – Insecure service configuration - usesCleartextTraffic
• 035 – Weak credential policy

Last updated

2024/02/05