MacOS
View all Worklets
MacOSmacOS

Disable Show Password Hints

Disable macOS password hints at the login window to remove a credential-guessing aid for attackers

Worklet Details

What the macOS password hint disabler does

This Automox Worklet™ disables the password hint feature on the macOS login window. When a user fails to authenticate the configured number of times, macOS normally surfaces the hint string stored with the local account. The Worklet removes that prompt by setting the RetriesUntilHint integer to 0 in /Library/Preferences/com.apple.loginwindow, so loginwindow never reaches the threshold that triggers the hint.

The evaluation script reads the current value with defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint and exits 0 only when the value is exactly 0. Any other value, including the absent-key default behavior that some macOS releases interpret as a small positive number, prints "Password hints are not disabled." and exits 1, which marks the endpoint non-compliant. The remediation script re-checks the value and, when needed, writes the secure value with defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0.

Because the evaluation phase is idempotent, the Worklet is safe to attach to a recurring policy. Endpoints that already hold the secure value are left alone; endpoints that drift back – typically after a Migration Assistant import, an MDM payload that ships a different RetriesUntilHint, or a manual change made through Users and Groups – are caught on the next evaluation and corrected without a separate ticket.

Why disable password hints on macOS endpoints

The macOS login window hint is an information disclosure vector at the authentication boundary. The hint is stored as plaintext on disk and surfaces to anyone with physical access to a locked Mac after a small number of failed attempts. Even seemingly innocuous hints – a pet name, a high school, a birth year, the first half of a passphrase – collapse the password search space and pair badly with credential-stuffing lists from prior breaches. CIS Benchmark for macOS control 5.7 (Do Not Enable the Show Password Hint Option) and NIST SP 800-53 IA-6 (Authenticator Feedback) both expect this surface to be suppressed.

This Worklet writes RetriesUntilHint=0 to /Library/Preferences/com.apple.loginwindow on every Mac in scope. The change is read by loginwindow on its next invocation – the next logout, screen lock, or reboot – so the hint surface disappears without restarting any service. Every Mac under management is evaluated against the same RetriesUntilHint baseline on the same cadence, and any endpoint that drifts surfaces in the activity log with the prior value captured for the CIS 5.7 change-control record.

How macOS password hint suppression works

  1. Evaluation phase: The script runs defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint and captures the result in the passHintCheck variable. If the value is exactly 0, the endpoint is compliant and the script exits 0. Any other value – including a missing key on a fresh macOS install, a positive integer such as 3 or 5, or a stale value imported from a previous environment – causes the script to emit "Password hints are not disabled." to stdout and exit 1, which schedules remediation.

  2. Remediation phase: The script repeats the same defaults read check. If the value is already 0, it logs "Setting is correct. Exiting..." and returns. Otherwise it logs "Password hints are not disabled. Correcting setting now...", runs defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0, and logs "Setting has been changed. Exiting...". The -int flag pins the type to integer, which prevents type coercion from breaking the comparison on the next evaluation. The change takes effect on the next loginwindow invocation – the next logout, screen lock, or reboot – without restarting any service.

macOS password hint hardening requirements

  • macOS endpoint running a currently supported release (the defaults domain /Library/Preferences/com.apple.loginwindow exists on every modern macOS version, including macOS Sonoma and Sequoia on Apple silicon)

  • Automox agent installed and reporting; the agent runs as root, which is the privilege level required to write /Library/Preferences/com.apple.loginwindow

  • No conflicting MDM configuration profile that re-applies a non-zero RetriesUntilHint value on a shorter cadence than the Automox policy (check Profiles in System Settings for a com.apple.loginwindow payload before scheduling)

  • FixNow compatible: the Worklet is safe to trigger on-demand from the Automox console when an audit requires immediate evidence of the hardening

  • No active user session is required; the write targets /Library/Preferences, not a per-user preferences domain, so the change applies to every account on the endpoint

Expected state after disabling password hints

On a compliant endpoint, defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint returns 0 and the login window stops surfacing the hint string regardless of how many incorrect password attempts the user makes. The hint text stored with the user account in Directory Services is not deleted – only the prompt that displays it is suppressed – so existing hint values can still be retrieved by an administrator if a future policy reverses the hardening.

Validate by running sudo defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint from Terminal and confirming the output is 0. For audit evidence, capture the same command output alongside the Automox policy run identifier, or open the policy result in the console and confirm the evaluation script exits 0 on the next scheduled run. The setting persists across reboots, FileVault unlocks, and macOS minor updates; it is only reverted if an administrator writes a non-zero RetriesUntilHint or an MDM profile pushes a competing payload, at which point the next evaluation reads the changed value and remediation writes 0 back during the same policy run.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets