Ntiva Security Standards - Passcode Policy - Mac
Passcode
Setting a passcode policy for your Macs is a great first line of defense to protect your hardware.
Controls
- Require at least one letter and one number
- Number of unique passwords required before allowing repeat passwords: [3]
- Delay after failed login attempts in minutes: [2]
- Minimum Password Length: [12]
- Minimum Number of Complex Characters: [1]
- Maximum failed attempts allowed before lock/erase: [10]
Notes
- This policy only applies if an organization is not using Addigy Identity (our preference) with Microsoft or Google, or other solutions that sync local Mac passwords to an Identity Provider.
- There is a control for managing the use of "simple passwords" - if simple passwords are disallowed, passwords cannot contain repeating characters. This is helpful to prevent someone from using a password like "Text1122", but also disallows words that contain repeating letters, like "letter", "pass", "colloquial", etc.
- Do not use this policy for iOS devices, as the amount of friction with users moving from what they expect (4-6 character numeric passcodes) to 12-digit alphanumeric can be extreme.
- We strongly recommend the use of biometric authentication methods (TouchID, FaceID) on supporting devices.
- Following NIST best practices, we do not recommend enforcing password expiration. For more information, see https://pages.nist.gov/800-63-FAQ/#q-b05
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
See also
Tips for creating secure passwords on Mac
Comments
0 comments
Please sign in to leave a comment.