Ntiva Security Standards - Passcode Policy - Mac
Setting a passcode policy for your Macs is a great first line of defense to protect your hardware.
- Require at least one letter and one number
- Number of unique passwords required before allowing repeat passwords: 
- Delay after failed login attempts in minutes: 
- Minimum Password Length: 
- Minimum Number of Complex Characters: 
- Maximum failed attempts allowed before lock/erase: 
- This policy only applies if an organization is not using Addigy Identity (our preference) with Microsoft or Google, or other solutions that sync local Mac passwords to an Identity Provider.
- We recommend setting "Minimum Number of Complex Characters" to no value higher than 1, as the macOS GUI is unable to inform the user that more than one is required, which can lead to frustration while trying to set compliant passwords.
- Do not use this policy for iOS devices, as the amount of friction with users moving from what they expect (4-6 character numeric passcodes) to 12-digit alphanumeric can be extreme.
- Following NIST best practices, we do not recommend enforcing password expiration. For more information, see https://pages.nist.gov/800-63-FAQ/#q-b05
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”