How to set up password policies in OS X

OS X does not include many options for managing accounts and passwords, but you can do so with the free Workgroup Manager tool from Apple.

Generally each account on an OS X system is protected with a password; however, the security of a system can be compromised by the use of an insecure password. For example, common passwords like "12345," "password," or "letmein," or short passwords may be easily guessed. Sometimes account holders on a multiuser system may even use a blank password, which can easily let anyone into their accounts. By default OS X will warn users of such practices and recommend strong passwords be used, but ultimately does not prevent users from setting whatever password they want.

Additionally, if you have a system set up for multiple people to use (especially those in a more public or shared area), even if each user has his or her own account, you may wish to ensure security by enforcing periodic password changes or automatically disabling an account after a set time frame.

Options to set such restrictions in OS X are possible, but they are hidden by default. While you can create managed user accounts on a system and set up some restrictions for them, password management is not among the options. The only such options Apple provides is for administrators to change passwords in its Users & Groups system preferences, and to prevent password changes in the Parental Controls system preferences.

Workgroup Manager in OS X
In Workgroup Manager, click the Accounts section and then the Options button in the Advanced tab. Be sure to authenticate (arrow) in order to make changes (click for larger view). Screenshot by Topher Kessler/CNET

If you would like more options for managing account passwords in OS X, you can do so by using Apple's Workgroup Manager program, which was a part of its OS X Server package but has now become available as a general tool for anyone to use.

Workgroup Manager is built to administer networked accounts on directory domains such as the Open Directory service in OS X Server; local accounts on a Mac system are structured similarly to networked accounts and share many of the same features, including password policy restrictions. Therefore, you can use Workgroup Manager to access the local account database and manage these hidden policies.

To do this, first download Workgroup Manager from Apple's Downloads page, and then install the program, which should be placed in your /Applications/Utilities folder. When you open Workgroup Manager, you will initially see a warning about only being able to see the local account database, which is fine (you can check the box to no longer view this warning).

The Accounts section should be selected by default, but if it's not, click it in the program's toolbar, and then click the lock to the far right of the window just below the toolbar to authenticate to the local directory (the path should be noted as /Local/Default). Once authenticated, you will see a list of users and groups to the left, and then some account properties to the right.

User password reset request in OS X
With the password reset policy requirement enabled, the next time the user logs in he or she will have to provide a new password (click for larger view). Screenshot by Topher Kessler/CNET

To change password policies, first select the account you would like to change, and then click the Options button in the Advanced tab to the right. A drop-down window will appear that will have various restrictions for the user account and password. These include allowing or preventing the user from logging in, or disabling the user's account on a specific date, after a period of inactivity, or after a specified number of failed log-ins.

For password restrictions, you can prevent the user from changing his or her password, enforce password lengths, require passwords to be reset after a number of days, and require the password to be reset when the user next logs in.

Keep in mind that while this is possible with Workgroup Manager, it is no longer Apple's fully supported option. Its features (especially those it currently supports for password management) still work properly for current releases of OS X; however, moving forward some features in OS X may evolve past Workgroup Manager's capabilities. The officially supported version of Apple's account management utility is Profile Manager, which is packaged with Apple's OS X Server software, available for $20 in the App Store, which should provide similar management options.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Featured Video