Skip to content

Ensure 'default_password_lifetime' Is Less Than Or Equal To '90'


Password expiry provides passwords with a time bounded lifetime.


This benchmark prevents a password being set for an indefinite period, therefore reducing the time available a compromised password is known to an attacker.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { checkRdsVersion, OK_SKIP_VERSION, getServerSetting } = module

 * @param {Object} databaseSettings - database settings object
 * @param {Object} defaultPasswordLifetime - maximum lifetime for a default password
 * @returns {boolean} true if default_password_lifetime is less than or equal to desired lifetime (90 by default)

function validate(databaseSettings, parameters = { defaultPasswordLifetime : "90" }) {
    supportedVersions = ["5.7"]
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if (!supported){
        return OK_SKIP_VERSION

    const settingName = "default_password_lifetime"
    const currentValue = getServerSetting(databaseSettings, settingName)
    const success = typeof currentValue === 'string' &&
                    Number(currentValue) <= Number(parameters.defaultPasswordLifetime)

    return {

// invoke
// TODO: add support for parameters input type