5.2.5 Ensure Complex Password Must Contain Special Character Is Configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that a special character is part of the password policy on the computer.

Rationale:

The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system.

Impact:

Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts.

Solution

Terminal Method:
Run the following command to set passwords to require at least one special character:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy -setaccountpolicies 'requiresSymbol=<value>=1>'

example:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'requiresSymbol=1'

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.mobiledevice.passwordpolicy

The key to include is minComplexChars

The key must be set to <integer><value>=1></integer>

Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.

Additional Information:

Note: The CIS macOS community has decided to not require the additional password complexity settings (Recommendations 5.3 - 5.6). Because of that, we have left the complexity recommendations as a manual assessment. Since there are a large amount of admins in the greater macOS world that do need these settings, we include both the guidance for the proper setting as well as probes for CIS-CAT to test.

See Also

https://workbench.cisecurity.org/files/4159