Set the password policy in macOS Server
You can use the Server app to set a password policy that’s applied to all users. Changes take effect the next time users log in.
There are two types of policies: disabling login when specific conditions are met, and password restrictions.
The server enforces password policies for users. For example, a user’s password policy can specify a password expiration interval. If the user tries to log in and the server determines that the user’s password has expired, the user must set a new password to log in.
Password policies can disable a user account on a specified date, after a number of days, after a period of inactivity, or after a number of failed login attempts. Password policies can also require passwords to be a minimum length, contain at least one letter, contain at least one numeral, differ from the account name, differ from recent passwords, or be changed periodically.
Important: If you choose to disable a user account after a number of failed login attempts, the user account is automatically reenabled after one minute.
In the Server app sidebar, select Users.
Select Local Users or Local Network Users (for Open Directory users).
Click the Action button and choose Edit Password Policy.
Select the options to enable, then click OK.