---
id: RHEL-07-010220
status: opt-in
tag: auth
---

Although the STIG requires that all passwords have a maximum lifetime set, this
can cause authentication disruptions in production environments if users are
not aware that their password will expire. Therefore, this change is not
applied by default.

Deployers can opt in for this change and provide a maximum lifetime for user
passwords (in days) by setting the following Ansible variable:

.. code-block:: yaml

    security_password_max_lifetime_days: 60

The STIG requires that all passwords expire after 60 days.