Possible to hide "Password hint: (Recommended)" box?

eliu01
New Contributor II

Our Security team has asked if the "Password hint: (Recommended)" box can be hidden on the password change window in System Preferences -> Users & Groups -> Change Password
65bcc323a54242d0880612e3be74a52b

If so, how? Haven't found any discussions here asking for this, and Google is no help. Thank you!

8 REPLIES 8

walt
Contributor III

How are you "managing" user passwords? do you use LDAP, AD, or something like that?

JustDeWon
Contributor III

@user-CimMKXfEHV , you can disable the hint feature with defaults write com.apple.loginwindow RetriesUntilHint -int 0.. Not sure if it hides the box though..

gachowski
Valued Contributor II

99% sure it doesn't hide the box or prevent users from adding a hint.. It will just keep it from showing up after failed attempts. And in the past it's been buggy as updated and upgrades in the past from Apple have broken it and then the next update from Apple fixes it..

C

eliu01
New Contributor II

@walt We're authenticating against AD, but are in the process of moving to JAMF Connect.

gachowski
Valued Contributor II

@eliu01

You can build a config profile com.apple.loginwindow

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>{RetriesUntilHint</key> <integer>0</integer>
</dict>
</plist>

eliu01
New Contributor II

@gachowski - does this disable the hint box on the password reset window shown in the original post, or only prevent password hints from appearing on the login screen? The "RetriesUntilHInt" string makes me think it's for the login screen.

gachowski
Valued Contributor II

Apple doesn't support disabling that window in your post ... The best solution is to keep the hint from showing on failed logins attempts usually that is what the Security teams want. or ... who cares what the hint is if you can't see it when you need it? : )

C

walt
Contributor III

@eliu01 what we do is use AD + the Apple Kerberos SSO plugin, so to help prevent out of sync passwords we restrict the change password via Users & Groups and Security preferences. So that ultimately would prevent the user from changing their password and adding a password hint. you can also hide the Hint for the login window via a config profile.