Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Automatic Password Expiry [CHK-1331]

This customer check verifies if passwords are set to expire automatically.

Rationale

The global recommendation since 2016, proposed by NIST, is not to have passwords automatically expire after a certain period. This is because expiring passwords often lead to the use of insecure passwords, as people tend to choose sequences. Instead, it's advised to choose long passwords, not reuse passwords for different services, and use multi-factor authentication (MFA) as much as possible.

Check

This check has two possible outcomes:

  • Okay: Password expiry is disabled
  • Warning: Password expiry is enabled

Fix

An automated fix is available through Attic.

 

Manual steps:

  1. Navigate to Microsoft 365 admin center at https://admin.microsoft.com
  2. Go to Settings > Org settings
  3. Click on "Security & privacy" tab
  4. Click on "Password expiration policy"
  5. Check "Set passwords to never expire"
  6. Click "Save"

Impact

Employees can still change the password themselves when necessary or desired, but will no longer be automatically forced to do so after a certain time.

More Information

This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:

  • CIS M365 1.5 - (L1) Ensure that Office 365 Passwords Are Not Set to Expire