5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured


Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters.

Ensure that both uppercase and lowercase letters are part of the password policy on the computer.


The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system.


Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts.


Terminal Method:
Run the following command to set passwords to require at upper and lower case letter:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'requiresMixedCase=<value>=1>'


$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'requiresMixedCase=1'

Additional Information:

Note: The CIS macOS community has decided to not require the additional password complexity settings (Recommendations 5.3 - 5.6). Because of that, we have left the complexity recommendations as a manual assessment. Since there are a large amount of admins in the greater macOS world that do need these settings, we include both the guidance for the proper setting as well as probes for CIS-CAT to test.

See Also


Item Details


References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: dd6526937207666ec08286d06642b1751a99d3a0afb08d752d7707e2e6a59642