The macOS system must disable password hints.

STIG ID: APPL-14-003012  |  SRG: SRG-OS-000079-GPOS-00047 |  Severity: medium |  CCI: CCI-000206 |  Vulnerability Id: V-259542 | 

Vulnerability Discussion

Password hints must be disabled.

Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.

Check

Verify the macOS system is configured to disable password hints with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('RetriesUntilHint').js
EOS

If the result is not "0", this is a finding.

Fix

Configure the macOS system to disable password hints by installing the "com.apple.loginwindow" configuration profile.