S 4.376 Specifying password policies under Mac OS X
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
Password policies must be defined for all clients under Mac OS X so that they are provided with a sufficiently secure password. The actions described in S 2.11 Provisions governing the use of passwords should also be used for Mac OS X. The command line program "pwpolicy" can be used for this. This program can be used e.g. to define the minimum number of letters and digits, a minimum password length, or the maximum number of failed login attempts. A minimum password length of 8 characters is required when using alphanumeric characters for the password. Furthermore, the password must be changed regularly.
The following command defines a policy for passwords, requiring a minimum password length of 8 characters and granting 8 failed login attempts before disabling the account.
pwpolicy -n /Local/Default -setglobalpolicy "minChars=8 maxFailedLoginAttempts=8"
Further possible password policies are:
| Variable | Function |
|---|---|
| usingHistory | 0 = user can use the current password again 1 = user is not allowed to use the current password again 2-15= user is not allowed to use the past n passwords again. |
| usingExpirationDate | If the value is 1, the user will be requested to change the password at the time stated in expirationDateGMT. |
| usingHardExpirationDate | If the value is 1, the account will be disabled at the time stated in hardExpireDateGMT. |
| requiresAlpha | If the value is 1, at least one letter must be included in the password. |
| requiresNumeric | If the value is 1, at least one digit must be included in the password. |
| expirationDateGMT | Date on which the password must be changed. Format: mm/dd/yy |
| hardExpireDateGMT | Date on which the account will be disabled. Format: mm/dd/yy |
| maxMinutesUntilChangePassword | The user must change the password in accordance with the interval stated in this parameter. |
| maxMinutesUntilDisabled | The account will be disabled after expiry of the minutes stated in this parameter. |
| maxMinutesOfNonUse | The account will be disabled after expiry of the non-use time as stated in minutes in this parameter. |
| maxFailedLoginAttempts | The account will be disabled if the number of failed login attempts exceeds the number stated in this parameter. |
| minChars | The number of characters of the password must equal at least the number stated in this parameter. |
| maxChars | The number of characters of the password must not exceed the number stated in this parameter. |
The man(ual) pages under Mac OS X include further parameters for definition of password policies.
Review questions:
- Is there an appropriate global password policy under Mac OS X?
- Does Mac OS X enforce passwords with a length of at least 8 characters?