5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured

Information

Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters.

Ensure that a number or numeric value is part of the password policy on the computer.

The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system.

Solution

Terminal Method:

Run the following command to set passwords to require at least one number:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy -setaccountpolicies "requiresNumeric=<value>=1>"

example

:

$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresNumeric=2"

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.mobiledevice.passwordpolicy
- The key to include is requireAlphanumeric
- The key must be set to <true/>

Note: This profile sets a requirement of both an alphabetical and a numeric character.

Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.

Impact:

Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts.

See Also

https://workbench.cisecurity.org/benchmarks/15551

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 8b8e08d8ec6962c7adfc1fabf09e5f57f85cb9e290818c02c8164b5e7ca2c48c