Enforce Password Complexity

What the password complexity enforcer does

This Automox Worklet™ enforces password complexity policies on macOS endpoints by applying a configuration profile that defines specific password requirements. The Worklet checks whether current password policies match your defined settings, then applies a policy plist file that configures minimum length, character type requirements, password expiration, and failed login lockout parameters.

The Worklet iterates through all local user accounts (with configurable exemptions) and applies identical policy settings to each using the macOS pwpolicy command. It also sets the global policy to require a new password at next login, verifying users must change their passwords to comply with the new requirements.

Why enforce password complexity on macOS

Users choose simple passwords like "Password123" that attackers crack in seconds. Without enforced complexity rules, your Mac fleet remains vulnerable to credential stuffing and brute-force attacks. Compliance auditors flag environments lacking password controls during PCI-DSS and HIPAA assessments. Weak passwords remain a primary attack vector in most organizations. Password complexity requirements significantly reduce the effectiveness of brute-force attacks and dictionary-based password cracking by requiring a minimum password length (10 characters) combined with mixed character types (uppercase, lowercase, numeric, and special characters).

This Worklet also enforces password expiration (90 days by default), which limits the damage if a password is compromised. The Worklet prevents password reuse by remembering the last three passwords, and it implements account lockout after five failed login attempts with a two-minute lockout period. These settings work together to meet security compliance standards for HIPAA, PCI-DSS, CIS Benchmarks, and SOC 2 requirements.

How password policy enforcement works

1. Evaluation phase: The Worklet queries each user's current password policies using pwpolicy -u <user> -getaccountpolicies and compares the output against the target policy settings (minimum length, character requirements, expiration days, lockout parameters, and password history depth). If any setting does not match, the Worklet returns non-compliant.

2. Remediation phase: The Worklet creates a plist-formatted policy file with all required settings and applies it to each user via pwpolicy -u <user> -setaccountpolicies. It then runs pwpolicy -setglobalpolicy "newPasswordRequired=1" to force all users to change their password at next login.

Password complexity policy requirements

• macOS 10.12 Sierra or later

• Root or sudo access to run pwpolicy commands

• Not compatible with endpoints using Active Directory or other directory services for authentication

• Configurable policy variables: minimum length, password expiration (days), failed login attempts, lockout duration (seconds), and password history depth

• Exempt account configuration available for service accounts or remote management accounts

Expected state after password policy enforcement

After this Worklet completes, your macOS endpoints will have password complexity policies enforced for all local accounts. All affected users will see a password change prompt at their next login. Their passwords will need to meet the new complexity requirements: at least 10 characters including uppercase letters, lowercase letters, numbers, and special characters. Passwords will expire every 90 days, previous passwords cannot be reused immediately, and accounts will lock for two minutes after five failed login attempts.

You can verify the applied policies by running pwpolicy -u <username> -getaccountpolicies on any endpoint to confirm the policy plist has been applied. The policy settings persist until they are explicitly changed or removed by another Worklet execution.

How to validate enforce password complexity changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enforce password complexity.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as exit, else, sudo, then rerun evaluation for compliance.