The macOS system must remove password hints from user accounts.

STIG ID: APPL-14-003014  |  SRG: SRG-OS-000079-GPOS-00047 | Severity: medium |  CCI: CCI-000206

Vulnerability Discussion

User accounts must not contain password hints. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.

Check

Verify the macOS system is configured to remove password hints from user accounts with the following command:

/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs

If the result is not "0", this is a finding.

Fix

Configure the macOS system to remove password hints from user accounts with the following command:

for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
/usr/bin/dscl . -delete /Users/$u hint
done
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.