8.2.4 Change user passwords/passphrases at least every 90 days.
8.2.4.a For a sample of system components, inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days.
8.2.4.b Additional testing procedure for service providers: Review internal processes and customer/user documentation to verify that:
• Non-consumer user passwords are required to change periodically; and
• Non-consumer users are given guidance as to when, and under what circumstances, passwords must change.
Passwords/phrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase.