Difference between revisions of "Not allowing password aging"

Jump to: navigation, search
Line 1: Line 1:
Line 61: Line 60:
[[Category:Protocol Errors]]
[[Category:Authentication Vulnerability]]
[[Category:Password Management Vulnerability]]

Revision as of 14:10, 12 June 2006


If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.


  • Authentication: As passwords age, the probability that they are compromised grows.

Exposure period

  • Design: Support for password aging mechanisms must be added in the design phase of development.


  • Languages: All
  • Operating platforms: All

Required resources




Likelihood of exploit

Very Low

Avoidance and mitigation

  • Design: Ensure that password aging functionality is added to the design of the system, including an alert previous to the time the password is considered obsolete, and useful information for the user concerning the importance of password renewal, and the method.


The recommendation that users change their passwords regularly and do not reuse passwords is universal among security experts. In order to enforce this, it is useful to have a mechanism that notifies users when passwords are considered old and that requests that they replace them with new, strong passwords.

In order for this functionality to be useful, however, it must be accompanied with documentation which stresses how important this practice is and which makes the entire process as simple as possible for the user.


  • A common example is not having a system to terminate old employee accounts.
  • Not having a system for enforcing the changing of passwords every certain period.

Related problems

  • Using password systems
  • Allowing password aging
  • Using a key past its expiration date