2.13.1 Audit Passwords System Preference Setting

Information

Apple has provided a new interface in macOS Monterey for managing passwords that mirrors the interfaced capability already available in iOS. Password management in macOS was previously available in both Safari Preferences and in Keychain Access. Apple is attempting to simplify password management for macOS and make the user experience more similar to iOS. Organizations are justifiably concerned about the risk of password managers, particularly as a possible backdoor to improved credential management regimes and greater use of Multi-Factor-Authentication (MFA).

Apple has information posted on this system preference with additional information.

Change Passwords preferences on Mac

A warning icon is shown next to a website for any of the following reasons:

- Easily guessed
- Appeared in a data leak
- Reused on another website

Organizations should remove what passwords can be saved on user computers, thus limiting the ability of attackers to potentially steal organizational credentials. Limits on password storage must be evaluated based on both user risk and Enterprise risk.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Graphical Method:

Perform the following steps to set Password system settings to your organization's settings:

- Open System Settings
- Select Passwords
- Enter the user's password
- Select the Security Recommendations
- Remove stored passwords that should not be saved.

Impact:

Organizations using passwords are constantly reported as having their password databases leaked to the Internet so every password a user has should be unique. Locking down secure password management solutions so that they cannot be used pushes users to password reuse, sticky notes, or always open text files with long lists of credentials.

See Also

https://workbench.cisecurity.org/benchmarks/18636

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-2(1), 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: e9656db4ec425147b652b45c239bd7c3eb3080a1ad9ec233bf4a534ad3f5a6ed