MacOS – Can an ‘incorrect password lockout’ be set

macospasswordSecurity

I administer seven Macs running a range of OS X 10.10 to macOS 10.13. The machine I use to administer them is running OS X 10.10.

All of the users are Standard accounts, with one Admin account which I use to administer the computers.

Is there a way to set an incorrect password lock out, which will only let you try more passwords if, a set time is elapsed, or the Admin user grants access again?

I would like to use the lockout as an additional layer of security from someone trying to brute force their way into a remote desktop session with a machine when the machine is on a public network (eg. hotel / airport etc).

Best Answer

It turns out that you can use a Terminal command to achieve this. Note that parts of this command are deprecated, but I tested it on macOS 10.13.3 and everything seems to work.

On the device that has the account you want to set a lock on, log into the administrator account.
Open Terminal and enter the following command; pwpolicy -u testuser -setpolicy "maxFailedLoginAttempts=1". Assume that testuser is the short name of the user you want to apply the lockout settings to, and 1 is the number of failed attempts required to trigger the account lock.
Restart the device to ensure that the changes take affect.

If an account is locked, you can log into the administrator account again and unlock the standard account using the following command; pwpolicy -u testuser -enableuser.

Update: I was able to test this with remote connections, and your device will not allow remote authentication with a locked account.

Related Solutions

Sudo password incorrect all of a sudden

Have you verified your password is correct by authenticating through the GUI? An easy way is to go to System Preferences > Accounts and click the lock icon. Also, verify that your user account has not lost administrative privileges (you can do this from the same preference pane). If you've lost administrative privileges the issue may be related to something else.

MacOS – How to automount a shared network drive for Time Machine backups

I think I can get you started, but using terminal commands, which you said you'd prefer to avoid. Apologies, but it might give you a starting point. All of the following you could put in a bash script and run as a login item.

You'll need to first share out the target drive(s) (MyBook in the examples below) using file sharing (System Preferences > Sharing > check the File Sharing box, add the drives you need and set appropriate permissions - I just use Everyone to keep it simple).

You can mount a remote machine and/or its associated drives using mount like so:

Make a directory as the mount point (obviously call test whatever you want):

mkdir /Volumes/test

Now mount the remote drive. I'm assuming this is already connected to your iMac and appears when you connect to your iMac using Finder:

mount -t afp afp://<your mac's name>/<drive name to mount> /Volumes/test

On my remote Mac Mini, to connect to my MyBook attached to it via USB, that would be:

mount -t afp afp://bobs-mac-mini/MyBook /Volumes/test

If you need to authenticate (I got error -5000 when trying to mount my home folder), you can also do this using

mount -t afp afp://<username>:<password>@<your mac's name>/<drive name to mount> /Volumes/test

However, the password would unfortunately have to be in the clear. So again, this might be:

mount -t afp afp://binarybob:password123@bobs-mac-mini/MyBook /Volumes/test

You can also connect to your home folder using the above method, just by replacing MyBook with the name of your home folder.

The drive you mounted should now appear in the finder and you should be able to use it like any other locally mounted drive. When you're finished, you can do:

umount /Volumes/test

to remove it. BTW, if you're not an administrator, you might need to add sudo in front of each command and type an administrator password.

Best Answer

Related Solutions

Sudo password incorrect all of a sudden

MacOS – How to automount a shared network drive for Time Machine backups

Related Question