2.10.5 Ensure Show Password Hints Is Disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Password hints are user-created text displayed when an incorrect password is used for an account.

Rationale:

Password hints make it easier for unauthorized persons to gain access to systems by displaying information provided by the user to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user.

Impact:

The user can set the hint to any value, including the password itself or clues that allow trivial social engineering attacks.

Solution

Graphical Method:
Perform the following steps to disable password hints from being shown:

Open System Settings

Select Lock Screen

Set 'Show password hints' to disabled

Terminal Method:
Run the following command to disable password hints:

$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.loginwindow

The key to include is RetriesUntilHint

The key must be set to <integer>0</integer>

See Also

https://workbench.cisecurity.org/files/4159