OSVDB ID: 755 Title: User Account Policy Password Never Changed/Expires |
Info |
|
|
Dates |
||||
|
|
Description |
Some systems are configured so that user accounts have passwords that do not expire. This means a user can continue logging into the account with the same password indefinitely. This is considered by most to be a bad security practice as it may assist an attacker carry out brute force style attacks against the system, with a higher chance for success. In addition, if an attacker is able to get a password via a method such as 'trashing' or obtaining the hashed passwords, by the time they are able to try to login with it, the password may be changed. By requiring users to change their passwords frequently, it is more difficult for an attacker to carry out such attacks and significantly lowers the window of risk. |
Classification |
Location:
Local Access Required,
Remote/Network Access Required
Attack Type: Authentication Management Impact: Loss of Confidentiality, Loss of Integrity Exploit: Exploit Available Disclosure: OSVDB Verified OSVDB: Best Practice |
Solution |
Administrators should maintain a strong password policy which includes forcing users to change their passwords every 30 to 90 days. This should apply to any account that has significant user privileges or access to sensitive information. |
Products |
|
References |
Credit |
Unknown or Incomplete |