5.2.2 Ensure Password Minimum Length Is Configured

Information

A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.

Ensure that a minimum of a 15-character password is part of the password policy on the computer.

Where the confidentiality of encrypted information in FileVault is more of a concern, requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.

Rationale:

Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.

Impact:

Short passwords can be easily attacked.

Solution

Terminal Method:
Run the following command to set the password length to greater than or equal to 15:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'minChars=<value>=15>'

example:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'minChars=15'

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.mobiledevice.passwordpolicy

The key to include is minLength

The key must be set to <integer><value>=15></integer>

Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 7327c11ba580df3340f4e5bcd499624af7153c89df1a43254326cf3571b477d9