2.11.1 Ensure Users' Accounts Do Not Have a Password Hint


Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password.


Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks.


Graphical Method:
Perform the following steps to remove a user's password hint:

Open System Settings

Select Touch ID & Passwords (or Login Password on non-Touch ID Macs)

Select Change...

Change the password and ensure that no text is entered in the Password hint box

Note: This will only change the currently logged-in user's password, and not any others that are not compliant on the Mac. Use the terminal method if multiple users are not in compliance.
Terminal Method:
Run the following command to remove a user's password hint:

$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/<username> hint


$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/firstuser hint

$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/seconduser hint

Additional Information:

Organizations might consider entering an organizational help desk phone number or other text (such as a warning to the user). A help desk number is only appropriate for organizations with trained help desk personnel that are validating user identities for password resets.

See Also


Item Details


References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: e9800476358567c1318be23c69383b206f99e89996742bf76fc2b6403b542b5c