Can an 'incorrect password lockout' be set?
I administer seven Macs running a range of OS X 10.10 to macOS 10.13. The machine I use to administer them is running OS X 10.10.
All of the users are Standard accounts, with one Admin account which I use to administer the computers.
Is there a way to set an incorrect password lock out, which will only let you try more passwords if, a set time is elapsed, or the Admin user grants access again?
I would like to use the lockout as an additional layer of security from someone trying to brute force their way into a remote desktop session with a machine when the machine is on a public network (eg. hotel / airport etc).
It turns out that you can use a Terminal command to achieve this. Note that parts of this command are deprecated, but I tested it on macOS 10.13.3 and everything seems to work.
- On the device that has the account you want to set a lock on, log into the administrator account.
- Open Terminal and enter the following command;
pwpolicy -u testuser -setpolicy "maxFailedLoginAttempts=1"
. Assume thattestuser
is the short name of the user you want to apply the lockout settings to, and1
is the number of failed attempts required to trigger the account lock. - Restart the device to ensure that the changes take affect.
If an account is locked, you can log into the administrator account again and unlock the standard account using the following command; pwpolicy -u testuser -enableuser
.
Update: I was able to test this with remote connections, and your device will not allow remote authentication with a locked account.
When FileVault is enabled there are a total of 90 maximum password and recovery attempts.
See Page 7 of Apple T2 Security Chip: Security Overview
- No more than 30 password attempts are allowed at the Login Window or via Target Disk Mode (Max 90 possible attempts with recovery methods)
- Once those attempts are exhausted, the Secure Enclave will no longer process any requests to decrypt the volume or verify the password.
- Escalating time delays are imposed after incorrect attempts.
- If Mac is restarted during a delay, the delay is still enforced, with the timer starting over for the current period.
- If the 30 attempts are exhausted, 10 more attempts are available after booting into macOS Recovery.
- If the 10 attempts are also exhausted, then 30 more attempts are available for each enabled FileVault recovery mechanism (iCloud recovery, FileVault recovery key, and institutional key)