5.2.1 Ensure Password Account Lockout Threshold Is Configured

Information

The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.

Ensure that a lockout threshold is part of the password policy on the computer.

Rationale:

The account lockout feature mitigates brute-force password attacks on the system.

Impact:

The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on.

The locked account will auto-unlock after a few minutes when bad password attempts stop. The computer will accept the still-valid password if remembered or recovered.

Solution

Terminal Method:
Run the following command to set the maximum number of failed login attempts to less than or equal to 5:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts=<value<=5>'

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'policyAttributeMinutesUntilFailedAuthenticationReset=<value<=15>'

example:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts=5'

/usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'policyAttributeMinutesUntilFailedAuthenticationReset=15'

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.mobiledevice.passwordpolicy

The key to include is maxFailedAttempts

The key must be set to <integer><value<=5></integer>

The key to include is minutesUntilFailedLoginReset

The key must be set to <integer><value<=15></integer>

Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.

See Also

https://workbench.cisecurity.org/benchmarks/14563