Posted by lionking on November 27, 2009
Password Assistant
The password assistant is a user-friendly application that assists users in choosing good quality passwords. It can be accessed by clicking the key button that is present on all password choice dialogs. For example, when changing the account password: The assistant provides feedback to the user as to the quality of the chosen password in the form of a colour-coded bar and also provides tips on improving the password. The assistant can also suggest strong “memorable” passwords for users. It is strongly recommended that the use of this tool be encouraged in user induction and training programs.
System wide password policy
Tiger provides the pwpolicy command line tool to allow administrators to set user and global password policies, including the ability to specify:
- Password strength in the form of length and character set. It is not possible to determine whether a password is based on a dictionary word or not, nor can the use of special characters or mixed case be enforced.
- Maximum number of failed authentication attempts. In the absence of an organizational password policy, the following policy is recommended:
- Users cannot reuse the last 12 passwords
Posted by lionking on November 18, 2009
Displayed user-names
By default, Mac OS X displays a list of user-names with accompanying graphic at the console login prompt. This provides too much information for passing attackers and should be disabled, requiring users to enter their user-names and passwords. Disable this setting from: System Preferences -> Accounts -> Login Options -> Display Login Window as: Name and password
Password hints
Password hints allow users to set a hint if they have forgotten their passwords. While this is a helpful feature for some home users who don’t login very often, it is typically not appropriate in a corporate environment, as it increases the risk of an attacker successfully guessing the password. To disable password hints on the system, open the file /Library/Preferences/com.apple.loginwindow.plist as root, in the Property List Editor application: sudo open /Library/Preference /com.apple.loginwindow.plist Change the RetriesUntilHint value to 0.
Posted by lionking on November 8, 2009
The Sleep, Restart and Shutdown buttons are provided on the login screen. Although it is possible to prevent these buttons from being displayed in the login window, it is not currently possible to disable an unauthenticated user from accessing these functions.
To prevent the buttons from being displayed deselect the option from System Preferences -> Accounts -> Login Options -> Show the Restart, Sleep and Shutdown buttons.
A screen-saver should be activated after a short period of inactivity, and should require a password to unlock the workstation. This prevents unauthorized passers-by from accessing an unattended workstation that is logged in. A ten-minute period of inactivity before the screen-saver is triggered should suit most organizations. The screen-saver can be enabled from System Preferences -> Desktop & Screen-saver
- To enable password protection on the screen-saver Require password to wake this computer from sleep or screen-saver should be selected from the Security pane of System Preferences.