5.2.5 Ensure Complex Password Must Contain Special Character Is Configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that a special character is part of the password policy on the computer.

Rationale:

The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system.

Impact:

Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts.

Solution

Perform the following to enable passwords to require at least 1 special characters:
Terminal Method:
Run the following command to set passwords to require at least one special character:

$ sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy -setaccountpolicies 'requiresSymbol=<value>=1>'

example:

$ sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'requiresSymbol=1'

Profile Method:

Create or edit a configuration profile with the PayloadType of com.apple.mobiledevice.passwordpolicy

Add the key minComplexChars

Set the key to <integer><value>=1></integer>

See Also

https://workbench.cisecurity.org/files/4004