The macOS system must remove password hints from user accounts.

STIG ID: APPL-15-003014  |  SRG: SRG-OS-000079-GPOS-00047 |  Severity: medium |  CCI: CCI-000206 |  Vulnerability Id: V-268541

Vulnerability Discussion

User accounts must not contain password hints.

Password hints leak information about passwords in use and can lead to loss of confidentiality.

Check

Verify the macOS system is configured to remove password hints from user accounts with the following command:

HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')

if [ -z "$HINT" ]; then
echo "PASS"
else
echo "FAIL"
fi

If the result is not "PASS", this is a finding.

Fix

Configure the macOS system to remove password hints from user accounts with the following command:

for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
/usr/bin/dscl . -delete /Users/$u hint
done
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.