5.2.7 Ensure Password Age Is Configured

Information

Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users should reset passwords periodically. This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.

Rationale:

Passwords should be changed periodically to reduce exposure.

Impact:

Required password changes will lead to some locked computers requiring admin assistance.

Solution

Terminal Method:
Run the following command to require that passwords expire after at most 365 days:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword=<value<=525600>'

example:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword=43200'

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.mobiledevice.passwordpolicy

The key to include is maxPINAgeInDays

The key must be set to <integer><value>=365></integer>

Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.9

Plugin: Unix

Control ID: 53b51750348c095a3fd4ff18341ecbf8773d09eeb5a21e501a9f97dc36f35155