Disable Show Password Hints

What the password hint disabler does

This Automox Worklet™ disables the password hint feature on macOS login screens by modifying the com.apple.loginwindow preferences. When a user enters an incorrect password multiple times, the endpoint normally displays a hint to help them remember their credentials. This Worklet removes that capability.

Password hints represent a security gap on shared endpoints or those exposed to physical attack. An attacker attempting unauthorized access can use hint text to narrow down password possibilities or identify password patterns. By removing this feature, you eliminate one method attackers use to compromise endpoint security.

The Worklet uses the defaults command to read and write the RetriesUntilHint setting in the macOS login window preferences. When RetriesUntilHint is set to 0, no password hint appears regardless of how many incorrect login attempts occur.

Why eliminate password hints from login

Password hints displayed at the macOS login screen give attackers valuable information for guessing user passwords. Even seemingly vague hints like favorite pet or birth year provide attackers with data points that narrow the password search space. Social engineering attacks combine this information with other reconnaissance to crack user credentials.

Security policies that require strong passwords become less effective when password hints weaken authentication. Users who rely on hints often create passwords based on predictable patterns or personal information that attackers can discover through social media research or data breaches from other services.

Disabling password hints forces users to remember their credentials or use proper password management tools. This approach strengthens your security posture by eliminating an information disclosure vector at the authentication boundary without impacting legitimate user access for those who properly manage their passwords.

How password hint disabling works

1. Evaluation phase: The Worklet reads the RetriesUntilHint setting from /Library/Preferences/com.apple.loginwindow. If the value equals 0, password hints are already disabled and the endpoint is compliant. If the value is anything other than 0, the endpoint requires remediation.

2. Remediation phase: The Worklet uses defaults write to set RetriesUntilHint to 0 in the com.apple.loginwindow preferences file. This change takes effect immediately and applies to all future login attempts on the endpoint.

Password hint configuration requirements

• macOS endpoints with local admin access required

• Automox agent with RunNow (FixNow) capability enabled

• Supported on all modern macOS versions

• No active user session required at remediation time

Expected login authentication behavior

After remediation, the macOS login screen no longer displays password hints when users click on their username. Authentication requires users to remember their password without assistance. The system maintains all other password reset and recovery mechanisms through your organization's identity management infrastructure.

The Worklet verifies password hint display is disabled through its evaluation phase. IT operations teams can confirm the setting by attempting to view password hints at the login screen or reviewing Worklet execution results in the Automox console.

How to validate disable show password hints changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable show password hints.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as defaults, else, exit, then rerun evaluation for compliance.