usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

CIS1 Password length incorrect #59

New Issue
Closed
opened 2026-01-19 18:29:05 +00:00 by michael · 2 comments
michael commented 2026-01-19 18:29:05 +00:00
Owner
Copy Link

Originally created by @BenjaminHoegh on GitHub.

Summary

CIS1 control for password length in the macOS security compliance project incorrectly sets the required minimum password length to 15 characters. According to the CIS Benchmark, the correct requirement is 14 characters.

Steps to reproduce

  1. Run the macOS security compliance project with CIS Level 1 enabled.
  2. Review the configuration or check applied settings for password policy.
  3. Observe that the minimum password length is set to 15.

Operating System version

macOS Sequoia 15.4

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

The policy enforces a minimum password length of 15 characters.

What is the expected correct behavior?

The policy should enforce a minimum password length of 14 characters, per the official CIS macOS Benchmark Level 1 guidance.

Originally created by @BenjaminHoegh on GitHub. ### Summary CIS1 control for password length in the macOS security compliance project incorrectly sets the required minimum password length to **15 characters**. According to the CIS Benchmark, the correct requirement is **14 characters**. ### Steps to reproduce 1. Run the macOS security compliance project with CIS Level 1 enabled. 2. Review the configuration or check applied settings for password policy. 3. Observe that the minimum password length is set to 15. ### Operating System version macOS Sequoia 15.4 ### Intel or Apple Silicon Apple Silicon ### What is the current *bug* behavior? The policy enforces a minimum password length of **15 characters**. ### What is the expected *correct* behavior? The policy should enforce a minimum password length of **14 characters**, per the official CIS macOS Benchmark Level 1 guidance.
michael commented 2026-01-19 18:29:06 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Which CIS Benchmark are you looking at?

the macOS 15.0 Sequoia Benchmark 1.0.0 has it listed as
Ensure that a minimum of a 15-character password is part of the password policy on the computer.

Please make sure you are referencing the most up to date benchmark, as it is very easy to find an old one.

@robertgendler commented on GitHub: Which CIS Benchmark are you looking at? the macOS 15.0 Sequoia Benchmark 1.0.0 has it listed as `Ensure that a minimum of a 15-character password is part of the password policy on the computer.` Please make sure you are referencing the most up to date benchmark, as it is very easy to find an old one.
michael commented 2026-01-19 18:29:06 +00:00
Author
Owner
Copy Link

@BenjaminHoegh commented on GitHub:

Oh i see my college have forwarded me the wrong one. sorry for the trouble

@BenjaminHoegh commented on GitHub: Oh i see my college have forwarded me the wrong one. sorry for the trouble
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#59
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?