Password aging is the concept that forces a user to periodically change his or her password. If the password is not changed within a specific amount if time, it expires and must be changed. The idea behind password aging is that a password is less likely to be compromised if it is changed regularly.

For users with local authentication the Application Server can enforce password aging with a configurable maximum password age.If a password has expired (the password was not changed within the predefined maximum password age) the user cannot create a new session. However he can authenticate by giving his old password and at the same time set a new password.

The maximum password age is configured by the global setting User sessions & security: Maximum password age [d]. This setting gives defines the maximum password age in days. Setting the User sessions & security: Maximum password age [d] to zero will disable password aging. Whenever a password is changed the system checks this global setting, if it is greater than zero the new password's expiry date will be set to CurrentTimestamp + MaximumPasswordAge. Therefore changing this setting will not affect already set password expiry dates.

Users with the Manage users and user groups (0) system permission can set the password expiry date of each user to a specific date.

For newly created users Redbex will set the password expiry date to a date in the past, so that on the first login a user will always have to change his password.