5.15 Do not enter a password-related hint

Information

Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password.

Rationale:

Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks

Solution

Perform the following to remove users' password hint:
Graphical Method:

Open System Preferences

Select Users & Groups

Select the Current User

Select Change Password

Change the password and ensure that no text is entered in the Password hint box

Terminal Method:
Run the following command to remove a user's password hint:

$ sudo dscl . -delete /Users/<username> hint

example:

$ sudo dscl . -delete /Users/firstuser hint

$ sudo dscl . -delete /Users/seconduser hint

Additional Information:

Organizations might consider entering an organizational help desk phone number or other text (such as a warning to the user). A help desk number is only appropriate for organizations with trained help desk personnel that are validating user identities for password resets.

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-6

Plugin: Unix

Control ID: bf92c56986378f4b86ec8163699b628711a9aa885bda21135325a2ffcc793f73