The macOS system must disable password hints.

STIG ID: APPL-14-003012  |  SRG: SRG-OS-000079-GPOS-00047 | Severity: medium |  CCI: CCI-000206

Vulnerability Discussion

Password hints must be disabled.

Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.

Check

Verify the macOS system is configured to disable password hints with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('RetriesUntilHint').js
EOS

If the result is not "0", this is a finding.

Fix

Configure the macOS system to disable password hints by installing the "com.apple.loginwindow" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.