Are there any low-level settings in local Directory Service that can increase the blocking time after typing wrong password?
-
15-04-2021 - |
Question
I find there's a global policy that can temporarily block/disable a user (only 1 minute) after authenticating with wrong passwords a few times.
But what I want to do is to increase that 1 minute to a longer time, or permanently disable that user. Is it possible?
Solution
Try using pwpolicy
pwpolicy -n /Local/Default -setpolicy "minutesUntilFailedLoginReset=3"
This will set the policy of a failed login for a local account to 3 mins between logins.
pwpolicy -n /Local/Default -setpolicy "maxFailedLoginAttempts=1"
This will set the maximum number of failed login attempts to just 1 (IMO this is way to restrictive to account for innocent typos)
Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange