Home Compliance & Certification Password Expiration Screenshot Guide

Password Expiration Screenshot Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact proves your company has password expiration policies configured. Cyber Essentials requires this because long-lived, unchanged passwords are ripe targets for attackers. By enforcing expiration, you compel regular refreshes, reducing the chance of old credentials being abused.

2. What You Will Submit

You will need:

  • screenshot showing the password expiration settings in your environment.

  • The screenshot should display:

    • Password expiration period (e.g., 90 days).

    • Enforcement at the domain or system level.

    • Confirmation that the policy is active, not just a draft.

3. How to Collect / Obtain / Generate This Evidence

Microsoft Active Directory / Entra ID (Azure AD):

  1. Open Group Policy Management → Default Domain Policy → Account Policies → Password Policy.

  2. Locate Maximum password age.

  3. Screenshot the value (e.g., 90 days).

Microsoft 365 (Cloud-only):

  1. Log into Microsoft 365 Admin Center → Settings → Org Settings → Security & Privacy.

  2. Under Password expiration policy, verify days set.

  3. Screenshot this setting.

Google Workspace:

  1. Open Admin Console → Security → Authentication → Password Management.

  2. Check Password expiration period.

  3. Screenshot the setting with applied value.

Other Systems (Okta, OneLogin, etc.):

  1. Go to Security / Policies → Password Policy.

  2. Locate expiration/rotation settings.

  3. Screenshot policy configuration.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_PasswordExpiration_YYYY-MM-DD.png
    Example: AcmeCorp_PasswordExpiration_2025-07-01.png

5. What “Good” Looks Like

  • Screenshot shows a specific expiration timeframe (not blank/disabled).

  • Policy scope visible (applies to users or domain).

  • Captured from official admin console (Active Directory, M365, Google Admin, etc.).

Why it matters: auditors want proof that password expiration is not optional — it’s actively enforced across accounts.

6. Tips

  • Pair this with your Password Compromise Screenshot to demonstrate layered defence.

  • Redact user names or tenant IDs from screenshots.

  • Standardise expiration values (e.g., 90 days) across all systems to avoid gaps.