5.2.7 Ensure Password Age Is Configured

Information

Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically. This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.

Rationale:

Passwords should be changed periodically to reduce exposure.

Impact:

Required password changes will lead to some locked computers requiring admin assistance.

Solution

Perform the following to enable passwords expiring at no greater than 365 days:
Terminal Method:
Run the following command to require that passwords expire after at most 365 days:

$ sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword=<value<=525600>'

example:

$ sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword=43200'

Profile Method:

Create or edit a configuration profile with the PayLoadType of com.apple.mobiledevice.passwordpolicy

Add the key maxPINAgeInDays

Set the key to <integer><value<=365></integer>

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.9

Plugin: Unix

Control ID: 3ece0cfac9be335d6b3ae66c115b30c57325f5677bfa0f78d08b59c66ac8aca9