Turn off the ability for users to have a password hint
I am working on a security setting for my company that requires users to not have a password hint. Since we have several users that either
- ignore our security options and
- purposely go against ones they don't like, I need a way to turn it off in terminal for 10.13-10.15.
I know I could create a script that pulls the User lists, and repopulates the opendirectory command to insert a 'blank' password (dscl . -merge /Users/username hint "password hint"
), but I would like to turn off the ability as part of the setup. I have scoured the Internet and found nothing so far.
Does anyone have any suggestions?
PS. I also want to build a profile for it, but we are a ways away from profile management but any suggestions on that would be helpful as well.
The ability to disable Passwords Hints has been built into macOS
System Preferences → Users & Groups → Login Options. Just make sure "Show Password Hints" is unchecked.
Using Terminal, you can issue the command:
defaults write com.apple.loginwindow RetriesUntilHint -int 0
Your security policy
You aren't alone in dealing with employees/users who what to go against the grain so to speak when it comes to security. The users that you described: the ones who ignore your security and the ones who actively go against your policies can actually be the biggest threats to data security.
First thing to know is that there is no technology you can implement that will secure a user who ignores your security policy - i.e (don't use personal email accounts when sending sensitive documents) or employees that circumvent them (puts a Post-It note with their password on the screen because it needs to be changed every 90 days).
-
The very first thing you need to do is define the security policy and why it's being defined. Describe what data or system (or whatever) you are protecting and the risk it poses if it's compromised (i.e. loss of revenue, litigation, etc.).
-
The very next thing is to get buy in from management. Not only should you periodically remind employees, but have an official communication come from management spelling out the policy - don't do this alone!
-
Thirdly, involve HR (or whoever is ultimately responsible for hiring and firing) to spell out the consequences of not adhering to the policy.
Why is this important?
As an IT manager, I can't tell you the number of times a data breach occurred not because I or the systems I put in place failed, but people who didn't like the policies actively went around them. Having these operational policies in place squarely puts the burden on the employee and management and not you. Now, as an IT consultant (I charge for this type of analysis) I can't tell you how many times my business increased because the IT manager took my report, went back to management and said "see, I told you so."
Obviously, I'm speaking in broad terms, but the takeaway from this is to not shoulder security by yourself. Define your policy, use whatever tech is available (can afford) and get buy in from the whole organization.