How easily can my locked Mac OS X account be open?
February 13, 2009 12:57 PM Subscribe
How difficult is it to break into someone's account on a Mac?
For several years I only had one account on my macbook (Leopard 10.5.6). This was also the admin account (I know that can be bad).
But I've started to travel more and use the internet in various coffee houses, etc. I recently accidentally left my macbook for about an hour at a starbucks (hard to believe I know). Luckily someone had turned it in and everything was how I left it.
This got me concerned about my personal info, work info, etc. that someone would have if that happened again and they didn't turn it in. So I created another account that basically is only for surfing around when I'm out. I never open the admin account at a coffee shop.
My question is not in regards to wifi insecurity, but in account security. If I had my second, for fun account open, and someone stole my macbook, how difficult would it be for them to get access to my password protected admin account?
I'm guessing someone knowledgeable could, but I'm talking about Joe Average.
For several years I only had one account on my macbook (Leopard 10.5.6). This was also the admin account (I know that can be bad).
But I've started to travel more and use the internet in various coffee houses, etc. I recently accidentally left my macbook for about an hour at a starbucks (hard to believe I know). Luckily someone had turned it in and everything was how I left it.
This got me concerned about my personal info, work info, etc. that someone would have if that happened again and they didn't turn it in. So I created another account that basically is only for surfing around when I'm out. I never open the admin account at a coffee shop.
My question is not in regards to wifi insecurity, but in account security. If I had my second, for fun account open, and someone stole my macbook, how difficult would it be for them to get access to my password protected admin account?
I'm guessing someone knowledgeable could, but I'm talking about Joe Average.
Response by poster: Well thank you for the quick response. Guess I just have to be more careful.
posted by gtr at 1:05 PM on February 13, 2009
posted by gtr at 1:05 PM on February 13, 2009
Anyone with an install CD can reset any login password on a OSX mac and then log in and use it like normal.
This was also the admin account (I know that can be bad).
This isn't the same level of bad as it is on a PC for what it's worth because you often have to re-enter the admin password to do adminnish stuff. For people who know what they're doing, this is nothing to work around but for your average laptop thief this would likely be dissuading.
posted by jessamyn at 1:23 PM on February 13, 2009
This was also the admin account (I know that can be bad).
This isn't the same level of bad as it is on a PC for what it's worth because you often have to re-enter the admin password to do adminnish stuff. For people who know what they're doing, this is nothing to work around but for your average laptop thief this would likely be dissuading.
posted by jessamyn at 1:23 PM on February 13, 2009
If you want to make your Mac less vulnerable (but with fewer features), Apple's Open Firmware Password application will prevent others from booting with a LiveCD to the best of my knowledge, and I'm pretty sure it also disables firewire target disk mode. For more info, take a look at the knowledge base entry on setting firmware-level protection on a Mac.
posted by Your Time Machine Sucks at 1:25 PM on February 13, 2009
posted by Your Time Machine Sucks at 1:25 PM on February 13, 2009
It's also quite easy to bypass the Open Firmware (or the new EFI firmware on Intel Macs) password on a Mac. All you have to do is pull a RAM chip to change the amount of RAM in the machine, then reset the PRAM, put the RAM back in, and boot it up....this process clears any Open Firmware password on the Mac.
Just last week I did this to a machine owned by a Fortune 500 company, presumably with an IT Department that is clueful. (No, I didn't violate any IT policies; it was entirely legitimate).
Yes, setting an OF password is another layer of security, but it's not much of one. Anyone with physical access to the machine can easily get around any layers of security you put in place. Hence the saying, the only real security is logical (physical) security.
Someone suggested FileVault, which is part of the OS but has a relatively spotty track record. I've been recommending to my clients that they get in the habit of storing confidential files in encrypted disk images, which are very easy to make with Disk Utility, and even easier to make with the excellent shareware program, DropDMG.
posted by mrbarrett.com at 1:26 PM on February 13, 2009 [2 favorites]
Just last week I did this to a machine owned by a Fortune 500 company, presumably with an IT Department that is clueful. (No, I didn't violate any IT policies; it was entirely legitimate).
Yes, setting an OF password is another layer of security, but it's not much of one. Anyone with physical access to the machine can easily get around any layers of security you put in place. Hence the saying, the only real security is logical (physical) security.
Someone suggested FileVault, which is part of the OS but has a relatively spotty track record. I've been recommending to my clients that they get in the habit of storing confidential files in encrypted disk images, which are very easy to make with Disk Utility, and even easier to make with the excellent shareware program, DropDMG.
posted by mrbarrett.com at 1:26 PM on February 13, 2009 [2 favorites]
Technical reference for beating FileVault (and other on-disk encryption) with physical access if the computer is left on (e.g. screenlocked). http://citp.princeton.edu/memory/
As for FileVault - yes, it's slow, but if you have large chunks of disk (music, photo libraries) that don't need to be encrypted you can move them outside your home directory to avoid some of the slowdown. Doing this, my PowerbookG4 works more than fast enough (for me) with FileVault enabled.
With the target-disk attack, you can assume they now have your encrypted password file. If your FileVault password is the same as your login password (the default) they can dictionary attack it at their leisure.
My minimum suggestion:
* If the computer leaves the house, enable FileVault
Secondary:
* For extra-sensitive files (your finance directory, etc), wrap it in a second encrypted disk image with unrelated password. Something like Knox automates this for you very easily.
posted by devbrain at 1:26 PM on February 13, 2009 [1 favorite]
As for FileVault - yes, it's slow, but if you have large chunks of disk (music, photo libraries) that don't need to be encrypted you can move them outside your home directory to avoid some of the slowdown. Doing this, my PowerbookG4 works more than fast enough (for me) with FileVault enabled.
With the target-disk attack, you can assume they now have your encrypted password file. If your FileVault password is the same as your login password (the default) they can dictionary attack it at their leisure.
My minimum suggestion:
* If the computer leaves the house, enable FileVault
Secondary:
* For extra-sensitive files (your finance directory, etc), wrap it in a second encrypted disk image with unrelated password. Something like Knox automates this for you very easily.
posted by devbrain at 1:26 PM on February 13, 2009 [1 favorite]
Apple's 240 page Leopard Security Configuration Guide (3.4 MB PDF).
posted by sharkfu at 1:27 PM on February 13, 2009
posted by sharkfu at 1:27 PM on February 13, 2009
You can use applications like Knox and TrueCrypt to create password-protected volumes for sensitive documents and other information that you mount (and provide a password for) only when you need them.
posted by socratic at 3:06 PM on February 13, 2009
posted by socratic at 3:06 PM on February 13, 2009
XKCD regarding security
There are limits on what technical provisions can do. When one wall of the castle becomes too strong, it's easier for the attackers to switch to a different wall.
posted by Chocolate Pickle at 3:14 PM on February 13, 2009
There are limits on what technical provisions can do. When one wall of the castle becomes too strong, it's easier for the attackers to switch to a different wall.
posted by Chocolate Pickle at 3:14 PM on February 13, 2009
Regarding that second account - you can set up a Guest login account on OS-X that has a reasonable level of security in that when it's logged out, it will delete it's settings (including things like browser history and such) when logged out. I've done that when loaning my Macbook out to folks. It also has fairly limited access to the rest of your machine (only certain applications, etc, can be launched).
Also, WRT theft, there's a security app called Undercover that can be used to track down a stolen Mac - it's a low-level app that checks a website when your Mac is booted and if that Mac is reported stolen, takes steps to secure it and make it more trackable (logging into any local open access points and reporting the SSID's, taking pictures with the eyesight if present, etc). A knowledgeable thief/hacker would probably be able to easily disable it if they knew it was installed, but some average coffee-shop laptop-snatching Joe Average type probably wouldn't know any better.
posted by StickyC at 12:26 AM on February 14, 2009 [1 favorite]
Also, WRT theft, there's a security app called Undercover that can be used to track down a stolen Mac - it's a low-level app that checks a website when your Mac is booted and if that Mac is reported stolen, takes steps to secure it and make it more trackable (logging into any local open access points and reporting the SSID's, taking pictures with the eyesight if present, etc). A knowledgeable thief/hacker would probably be able to easily disable it if they knew it was installed, but some average coffee-shop laptop-snatching Joe Average type probably wouldn't know any better.
posted by StickyC at 12:26 AM on February 14, 2009 [1 favorite]
Generally, you need to use osx to encrypt the home directory if you are worried about security.
If you do that, then I think its past average joe to get into your stuff.
posted by scottschulthess at 9:44 AM on February 14, 2009
If you do that, then I think its past average joe to get into your stuff.
posted by scottschulthess at 9:44 AM on February 14, 2009
That XKCD method wouldn't work with a Truecrypt volume because of its "plausible deniability" features. It can be circumvented, but that's way beyond your average, wrench-wielding joe.
posted by Thoughtcrime at 3:46 PM on February 14, 2009
posted by Thoughtcrime at 3:46 PM on February 14, 2009
This thread is closed to new comments.
posted by nomisxid at 1:01 PM on February 13, 2009