password policy allowsimple in macos 13 Ventura

[bernstei]

Has anyone noticed the allowsimple password policy setting recently? It forbids consecutive identical or sequential characters, which in principle seems like a reasonable idea, but it appears that Apple implemented the setting as a simple on/off, not as a user-settable max number in the consecutive group. It appears to ban even 2 consecutive identical and 3 consecutive sequential. Is anyone aware of a justification for those thresholds? Those are very small values, and make it very difficult to pick passwords in the real world in my experience.

[brodjieski]

The default values for consecutive characters is 2 and sequential characters is 3 when setting the allowSimple key in the com.apple.mobiledevice.passwordpolicy payload. If you need to adjust these settings, you'll have to manually deploy a pwpolicy and set them accordingly rather than using the configuration profile to set them.

The default policy looks like this when setting allowSimple to false:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>policyCategoryPasswordContent</key>
	<array>
		<dict>
			<key>policyContent</key>
			<string>(policyAttributeSequentialCharacters &lt; policyAttributeMaximumSequentialCharacters) and (policyAttributeConsecutiveCharacters &lt; policyAttributeMaximumConsecutiveCharacters)</string>
			<key>policyContentDescription</key>
			<dict>
				<key>policyDefaultContentDescription</key>
				<string>Not have two consecutive, or three sequential characters.</string>
			</dict>
			<key>policyIdentifier</key>
			<string>ProfilePayload:eb050371-14c7-4e2d-bcb8-0a1f6c8ff646:allowSimple</string>
			<key>policyParameters</key>
			<dict>
				<key>policyAttributeMaximumConsecutiveCharacters</key>
				<integer>2</integer>
				<key>policyAttributeMaximumSequentialCharacters</key>
				<integer>3</integer>
			</dict>
		</dict>
	</array>
</dict>
</plist>

If you modify those values, you can then set them using pwpolicy -setaccountpolicies and feeding it the XML file. I'm not sure why Apple settled on those default values, or why they didn't include a mechanism to easily edit them with a profile. Guess it's a good case for some feedback to them.

[bernstei]

Awesome - I'll have to see if I can get this to work with a pwpolicy.

[bernstei]

Is there any documentation about how the mobileconfigs and pwpolicy interact? I.e. if I have some things set via the mobileconfig (which are conveniently automatically generated by this project's generate_guidance script) do I need to

• remove the mobileconfigs and replace with a pwpolicy?
• keep the mobileconfigs, but the pwpolicy will override them, so it needs to include all rules anyway?
• keep the individual setting set via the mobileconfig, and somehow just add the granular repeated character rules via pwpolicy?

[brodjieski]

Unfortunately, there is likely ZERO documentation on the interaction lol... most of what I have learned is from observations.

• If you apply a mobileconfig with password settings, I believe it appends that to the existing pwpolicy.
• If you remove that mobileconfig, the pwpolicy remains... it doesn't remove what it added.
• From testing, DDM handles this a bit better.

My advice... is if you have to do password policy... either accept the limitations of the mobileconfig options... or manage it entirely with pwpolicy.

[vaughnhart]

I'm sorry... what's DDM?

[brodjieski]

Declarative Device Management

[vaughnhart]

Wow I think the first three paragraphs restated themselves. Keep it simple. Protocol and protocol makes it sound like a new protocol. Ok.

[bernstei]

Out of curiosity, has anyone tested this setting? The text of the pwpolicy xml and man page (

     policyAttributeMaximumConsecutiveCharacters     Maximum number of consectuive characters allowed in a password.

) seems to state pretty clearly to me that 2 repeated or 3 sequential is OK, but from my initial tests it appears that it won't allow 2 repeated. I wouldn't have gotten nearly as exercised about it if I thought they implemented what they claim to be implementing, rather than an even tighter limit. I'll have to go back and do a more systematic test.

[brodjieski]

When setting allowSimple to false, the logic they put behind the values is a < that number and not a <= (see snippet below). Meaning if you set it for 2 consecutive characters, that means you can't have 2 repeated... setting it to 3 would allow for 2 repeated, but not 3. I haven't tested this yet, but you could customize the pwpolicy to meet the logic you are trying to accomplish.
From the applied policy:
policyAttributeConsecutiveCharacters < policyAttributeMaximumConsecutiveCharacters

[bernstei]

Yes, that appears to be the logic in practice. It's just not what "Maximum number of consectuive characters allowed" means in English, which means that policy, as configured behind the scenes by the mobileconfig I guess, is using the "Maximum" field in contradiction to the pwpolicy documentation. That's at best ugly, arguably just a bug in the policy that's set up by the mobileconfig.

[bernstei]

Out of curiosity, does anyone happen to know where (in the macOS system directories?) that conversion (from the mobileconfig field allowSimple to the actual pwpolicy xml content) happens?

[brodjieski]

my guess it that it is handled by the mdmclient

[bernstei]

By the way, by way of followup for the record. If you leave the mobileconfig installed and modify the pwpolicy fields that are created by that mobileconfig, the changes to the actual active pwpolicy do not survive logout (or maybe reboot?). It appears that the pwpolicy is recreated from the mobileconfig each login. If you want the changes to stick you have to install the mobileconfig, get the pwpolicy, modify it, remove the mobileconfig, and then install the modified pwpolicy (or at least we couldn't find a simpler way).