R130. Limit password lifespan

Requirement

Passwords must be valid for a maximum of 30 days.

References

  1. CAPEC-49: Password Brute Forcing. In this attack, the adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

  2. CWE-263: Password Aging with Long Expiration. Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.

  3. NERC CIP-007-6. B. Requirements and measures. R5.6 Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months.

  4. PCI DSS v3.2.1 - Requirement 8.2.4 Change user passwords/passphrases at least once every 90 days.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy