InformationComplex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that a special character is part of the password policy on the computer.
The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system.
Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts.
Run the following command to set passwords to require at least one special character:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy -setaccountpolicies 'requiresSymbol=<value>=1>'
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'requiresSymbol=1'
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.mobiledevice.passwordpolicy
The key to include is minComplexChars
The key must be set to <integer><value>=1></integer>
Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.
Note: The CIS macOS community has decided to not require the additional password complexity settings (Recommendations 5.3 - 5.6). Because of that, we have left the complexity recommendations as a manual assessment. Since there are a large amount of admins in the greater macOS world that do need these settings, we include both the guidance for the proper setting as well as probes for CIS-CAT to test.