User Account Policy Password Never Changed/Expires

1980-01-01T00:00:00
ID OSVDB:755
Type osvdb
Reporter OSVDB
Modified 1980-01-01T00:00:00

Description

Vulnerability Description

Some systems are configured so that user accounts have passwords that do not expire. This means a user can continue logging into the account with the same password indefinitely. This is considered by most to be a bad security practice as it may assist an attacker carry out brute force style attacks against the system, with a higher chance for success. In addition, if an attacker is able to get a password via a method such as 'trashing' or obtaining the hashed passwords, by the time they are able to try to login with it, the password may be changed. By requiring users to change their passwords frequently, it is more difficult for an attacker to carry out such attacks and significantly lowers the window of risk.

Solution Description

Administrators should maintain a strong password policy which includes forcing users to change their passwords every 30 to 90 days. This should apply to any account that has significant user privileges or access to sensitive information.

Short Description

Some systems are configured so that user accounts have passwords that do not expire. This means a user can continue logging into the account with the same password indefinitely. This is considered by most to be a bad security practice as it may assist an attacker carry out brute force style attacks against the system, with a higher chance for success. In addition, if an attacker is able to get a password via a method such as 'trashing' or obtaining the hashed passwords, by the time they are able to try to login with it, the password may be changed. By requiring users to change their passwords frequently, it is more difficult for an attacker to carry out such attacks and significantly lowers the window of risk.

References:

Related OSVDB ID: 754 Related OSVDB ID: 752 Related OSVDB ID: 751 Nessus Plugin ID:10916 Nessus Plugin ID:10914