7.2.3 Audit Passwords System Preference Setting

Information

Apple has provided a new interface in macOS Monterey for managing passwords that mirrors the interfaced capability already available in iOS. Password management in macOS was previously available in both Safari Preferences and in Keychain Access. Apple is attempting to simplify password management for macOS and make the user experience more similar to iOS. Organizations are justifiably concerned about the risk of password managers, particularly as a possible backdoor to improved credential management regimes and greater use of Multi-Factor-Authentication (MFA).

Apple has information posted on this system preference with additional information.

Change Passwords preferences on Mac

A warning icon is shown next to a website for any of the following reasons:

Easily guessed

Appeared in a data leak

Reused on another website

Rationale:

Organizations should remove what passwords can be saved on user computes and the ability of attackers to potentially steal organizational credentials. Limits on password storage must be evaluated based on both user risk and Enterprise risk.

Impact:

Organizations using passwords are constantly reported as having their password databases leaked to the Internet so every password a user has should be unique. Locking down secure password management solutions so that it cannot be used pushes users to password reuse, sticky notes or always open text files with long lists of credentials.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Graphical Method:
Perform the following steps to set Password system settings to your organization's settings:

Open System Preferences

Select Passwords

Enter the user password

Select the Detect compromised passwords setting to match your organization's settings

Remove stored passwords that should not be saved.

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-2(1), 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: f0cf144f995a88f6472e6a4abedeec224da27c14aada8d946df6d004773cd19e