The macOS system must prohibit password reuse for a minimum of five generations.

STIG ID: APPL-14-003009  |  SRG: SRG-OS-000077-GPOS-00045 |  Severity: medium |  CCI: CCI-000200 |  Vulnerability Id: V-259539 | 

Vulnerability Discussion

The macOS must be configured to enforce a password history of at least
five previous passwords when a password is created.

This rule ensures that users are not allowed to reuse a password that was used in any of the five
previous password generations.

Limiting password reuse protects against malicious users attempting to gain access to the system via
brute-force hacking methods.

Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that
complexity rules should be organizationally defined. The values defined are based on common complexity
values, but an organization may define its own password complexity rules.

Check

Verify the macOS system is configured to prohibit password reuse for a minimum of five
generations with the following command:

/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath
'//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - |
/usr/bin/awk '{ if ($1 >= 5 ) {print "yes"} else {print "no"}}'

If the result is not "yes", this is a finding.

Fix

Configure the macOS system to prohibit password reuse for five
generations by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.