That dormant account for a contractor who left six months ago? It’s a gold mine for an attacker. I’ve seen too many breaches start with credentials that were valid but simply forgotten.
This isn’t rocket science, folks. Inactive accounts are a massive attack surface that organizations consistently overlook. They sit there, often with old, unrotated passwords, waiting to be exploited. It’s basic hygiene, yet it’s missed.
Automatically lock accounts after 30 days of inactivity. For new users, set the default: sudo useradd -D -f 30. For existing users, apply it: sudo chage –inactive 30
If you’re not doing this, you’re leaving a gaping hole. Period.
The fix
sudo useradd -D -f 30
# For existing users:
sudo chage --inactive 30 <username>
Reference: CIS Linux Benchmark 5.4.1.4