Insufficient Password Aging

Many enterprise security policies enforce “password aging,” i.e., require that users change their passwords at fixed intervals such as 90 or 180 days. Insufficient Password Aging allows a user to maintain the same password for an extended length of time, increasing the risk of password-based attacks.

To mitigate exposure to attacks that take advantage of Insufficient Password Aging, a password aging mechanism can be introduced that forces users to periodically change their passwords. The purpose of this policy is to reinforce information security by establishing a strong but reasonable password management practice that follows commonly held security guidelines.