Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. Counter Measure: Configure the Maximum password age setting to a value that is suitable for your organization's business requirements. When configuring this setting you should also configure the Minimum password age to a value that makes sense in combination with this one. Potential Impact: If the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. [maximum no of days] (1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age (2) REG: ### (3) WMI: ### oval:org.secpod.oval:def:36535 SCAP Repo OVAL Definition 2016-08-05