2.11.1 Ensure Users' Accounts Do Not Have a Password Hint

Information

Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password.

Rationale:

Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks.

Solution

Graphical Method:
Perform the following steps to remove a user's password hint:

Open System Settings

Select Touch ID & Passwords (or Login Password on non-Touch ID Macs)

Select Change...

Change the password and ensure that no text is entered in the Password hint box

Note: This will only change the currently logged-in user's password, and not any others that are not compliant on the Mac. Use the terminal method if multiple users are not in compliance.
Terminal Method:
Run the following command to remove a user's password hint:

$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/<username> hint

example:

$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/firstuser hint

$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/seconduser hint

Additional Information:

Organizations might consider entering an organizational help desk phone number or other text (such as a warning to the user). A help desk number is only appropriate for organizations with trained help desk personnel that are validating user identities for password resets.

See Also

https://workbench.cisecurity.org/files/4159