The macOS system must prohibit password reuse for a minimum of five generations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259539	APPL-14-003009	SV-259539r941239_rule		Medium

Description
The macOS must be configured to enforce a password history of at least five previous passwords when a password is created. This rule ensures that users are not allowed to reuse a password that was used in any of the five previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.

Description

The macOS must be configured to enforce a password history of at least five previous passwords when a password is created. This rule ensures that users are not allowed to reuse a password that was used in any of the five previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.

STIG	Date
Apple macOS 14 (Sonoma) Security Technical Implementation Guide	2024-01-10

Details

Check Text ( C-63278r941237_chk )
Verify the macOS system is configured to prohibit password reuse for a minimum of five generations with the following command: /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null \| /usr/bin/tail +2 \| /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - \| /usr/bin/awk '{ if ($1 >= 5 ) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.

Check Text ( C-63278r941237_chk )

Verify the macOS system is configured to prohibit password reuse for a minimum of five generations with the following command:

/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 >= 5 ) {print "yes"} else {print "no"}}'

If the result is not "yes", this is a finding.

Fix Text (F-63186r941238_fix)
Configure the macOS system to prohibit password reuse for five generations by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.