Information
The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.
Ensure that a lockout threshold is part of the password policy on the computer.
Rationale:
The account lockout feature mitigates brute-force password attacks on the system.
Impact:
The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on.
The locked account will auto-unlock after a few minutes when bad password attempts stop. The computer will accept the still-valid password if remembered or recovered.
Solution
Terminal Method:
Run the following command to set the maximum number of failed login attempts to less than or equal to 5:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts=<value<=5>'
Note: When the account lockout threshold is set with pwpolicy, it will also set a reset value to policyAttributeMinutesUntilFailedAuthenticationReset that defaults to 1 minute. You can change this value with the command:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'policyAttributeMinutesUntilFailedAuthenticationReset=<value in minutes>'
example:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts=5'
/usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'policyAttributeMinutesUntilFailedAuthenticationReset=10'
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.mobiledevice.passwordpolicy
The key to include is maxFailedAttempts
The key must be set to <integer><value<=5></integer>
Note: When setting the lockout threshold with a mobile configuration profile there is no default reset to the lockout. To set the reset value use the key autoEnableInSeconds and set the key to <integer><value in seconds></integer>.
Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.