Stale Password Audit
Categories:
- Target Database: —
- Context Type: —
- Alert Severity: —
- Triggered Time: —
- Firing Context:
—
Stale Password Audit Report
Report ID: security-stale-passwords
Category: Security
Purpose
This report identifies unlocked PeopleSoft user accounts whose passwords have not been changed within a configurable number of days. External auditors will ask. SSO accounts are automatically excluded, so the list is users who still have a real PeopleSoft password.
What It Detects
The report categorizes stale password accounts into three severity levels based on how long the password has been unchanged:
CRITICAL — Password Not Changed in Over 1 Year
Unlocked accounts where the password has not been changed in over 365 days. These represent the highest risk and should be addressed immediately.
WARNING — Password Not Changed in Over 180 Days
Unlocked accounts where the password is between 180 and 365 days old.
INFO — Password Exceeds Configured Threshold
Unlocked accounts where the password exceeds the configured threshold (default 90 days) but is less than 180 days old.
The report also separately identifies:
- No Password Change Date Recorded. Unlocked accounts with no recorded
LASTPSWDCHANGEvalue (may be migrated or misconfigured)
SSO users (accounts with no PeopleSoft password set) are automatically excluded from this report.
Table Queried
PSOPRDEFN — Operator Definitions (User Accounts)
The primary record for PeopleSoft user accounts.
| Field | Description | Values |
|---|---|---|
| OPRID | User ID (primary key) | |
| OPRDEFNDESC | User description/name | |
| LASTPSWDCHANGE | Date of last password change | Date format |
| LASTSIGNONDTTM | Date/time of last sign-on | Datetime format |
| ACCTLOCK | Account lock status | 0 = Active, 1 = Locked |
| PTOPERPSWDV2 | Password hash | Non-empty means password is set (SSO users have no password) |
| OPRCLASS | Primary permission list |
Data Flow
1. Fetch ALL users from PSOPRDEFN
via SearchUsers (batches of 300)
|
v
2. Filter:
- Skip locked accounts (ACCTLOCK = 1)
- Skip SSO users (no password set)
|
v
3. Parse LASTPSWDCHANGE date and compute days since change
|
v
4. Categorize into severity buckets:
CRITICAL: > 365 days since password change
WARNING: > 180 days
INFO: > staleDays threshold (default 90)
Plus: No change date recorded
|
v
5. Sort each category by days since change (oldest first)
|
v
6. Generate Markdown report grouped by severity
Parameters
| Parameter | Default | Description |
|---|---|---|
staleDays | 90 | Number of days after which a password is considered stale |
Report Output
The generated report contains:
- Header with database name, generation timestamp, and threshold parameter
- Summary with total user counts, unlocked count, and counts per severity category
- CRITICAL section (if any): Table with user ID (linked), description, last password change date, days since change, last sign-on, permission list
- WARNING section (if any): Same table format
- INFO section (if any): Same table format
- No Password Change Date section (if any): Table with user ID, description, last sign-on, permission list
- Recommendations based on which categories have findings
Interpreting Results
- CRITICAL findings require immediate action. Passwords unchanged for over a year are a significant security risk, especially if the accounts are actively used (check the Last Sign-on column).
- WARNING findings should be scheduled for remediation. These accounts are approaching a year without a password change.
- INFO findings indicate policy non-compliance. The accounts exceed your configured threshold but are not yet at the warning level.
- No Password Change Date accounts are often migrated accounts. Verify they are legitimate and consider requiring a password reset.
- SSO users (no PeopleSoft password set) are automatically excluded from this report.
Recommendations
- Implement PeopleSoft password controls (PTPWDPOLICY) to enforce automatic password expiration. Configure under PeopleTools > Security > Password Configuration > Password Controls.
- Investigate accounts with no password change date — these may need manual password resets.