Password Expiration


Password Expiration is concept of the a Password Policy to limit the length of time that a user can continue to use the same password.

Should organization's mandate Password Periodic Changes? #

Mandated Regular Password Changes are a long-standing security practice which has been questioned as if it is effective by the following: all recommend that passwords SHOULD NOT be arbitrarily expired after some interval.


Some LDAP Server Implementations implement the Password Modify Extended Operation supportedExtension. This can allow as the password expiration time draws near, the user may receive warning messages in the form of supportedControl in the bind Response.

Typically, Once the password has expired, and there are no Grace Logins left, the entry will no longer be allowed to perform Authentication.

Once the user's password has expired, it may be necessary for an administrator to perform a Password Reset before the account may be used. Alternately, if the password policy is configured appropriately, the user may also be able to perform a Password Change for their own expired password using the Password Modify Extended Operation or by using a Password Management Application.

AD Determining Password Expiration#

AD Determining Password Expiration explains how the Password Expiration works in Microsoft Active Directory


Several LDAP Server Implementations follow the draft-behera-ldap-password-policy as a Password Management Methodologies.

eDirectory Password Expiration#

eDirectory Password Expiration explains how eDirectory determines Password Expiration.

Edirectory Administrative Password Changes#

Edirectory Administrative Password Changes are applied to to a user's password, the password is normally expired. (ie Password Reset)

More Information#

There might be more information for this subject on one of the following: