This is your Mac. This is your Mac on lockdown.
November 20, 2012 9:22 AM   Subscribe

Looking for best practices for home data security for an exclusively Mac household.

We've had questions about security on the Mac before (search), and for protecting files and folders, a password protected disk image sounds like the way to go (I might also try Knox, though I'm not sure what it adds--but I use 1Password religiously). I'd be happy to hear any new developments (i.e., have people stopped experiencing FileVault corruption issues?), but that seems straightforward enough.

The slap to the forehead moment, however, was realizing that 1) I don't know what Keychain has in it and who could use it (assuming access to the machine), and 2) I leave gmail logged in, and my wife has always running, and if someone had one of the machines, access to the email could give them broad access using "forgot my password" links (D'oh! I realize as I'm writing this that I should have separate emails for those that don't stay logged in!). And those are just the holes that occurred to me at 4:00 in the morning--I'm sure you Mac boffins can think of a million other overlooked holes.

I know TimeMachine is unencrypted, but if I nuke the drive and start backing up once I've set up a encrypted disk image, I'm assuming that I'd be ok (although does the archive allow, e.g., a cookie or open browser session to be backed up? Is that just magical thinking?). I also am wondering about unencrypted iOS backups--would there be a way to extract anything from them? Can you pull anything out of a Spotlight index?

I'll probably add a screen saver / wake from sleep password, but I know that doesn't secure data, just the most casual snoops (target disk mode, password resets, etc.).

TL;DR: assume I'm an average Mac user who's been lazy about security (using Keychain, "keep me logged in" status on Gmail and other web sites), no password to access, no encrypted data other than in 1Password). Please tell me anything I need to delete, update, uncheck, install, opt out of, opt into, or buy to make my Macs locked down tight. I don't mind spending money, I don't mind inconvenience.

If my Macs were lost or stolen, I don't want to give one second's thought to the security of sensitive data or backdoors through email or Keychain or iOS backups or whatever. Thanks!
posted by Admiral Haddock to Technology (4 answers total) 16 users marked this as a favorite
Use 1password for everything.

Disable guest accounts, set a screen saver password.
Automatic login - off.
Display Login window as Name and Password

Filevault 2 (Whole disk encryption) and tell time machine to encrypt the backups (it's unencrypted by default, but you don't have to keep it that way) - features available since Lion.
Filevault 2 only *REALLY* protects your machine if it is just starting up, however most folks stealing your gear aren't going to be sure to keep it powered up so they can then hijack the filevault decryption key from resident memory.

There are several options out there for remote wiping macs, including iCloud, I haven't evaluated them personally as I believe a solid whole disk encryption strategy AND a solid remote backup strategy makes the need to wipe the machines remotely kind of an extra unnecessary step especially if I held to a solid password for the machines.

If someone breaks your local account password, then they have access to your keychain if they have access to your keychain they have access to everything stored in it - certificates, stored passwords on the system (other than 1password stuff), etc.
posted by iamabot at 10:20 AM on November 20, 2012

Keep in mind that with physical access the rule of thumb is that a persistent individual will gain some level of access. The following steps will make your machine much harder:

First you will need to lock down the boot system (EFI) on your machines: here is the instructions from Apple. DO NOT LOSE THIS PASSWORD. This prevents someone from simply booting the device from USB or DVD or firewire target mode.

Second you should password protect your screensaver: Go to System Preferences and this time select the “Security” icon and about down check the box for “Require password to wake this computer from sleep or screen saver.”

Third put your sensitive files in an encrypted folder. Truecrypt is what I use. Make certain your backup of this file works. You lose this password the data is LOST. This ensures that it is non trivial to get your sensitive data, it requires a staggering level of effort to break an encrypted folder.

Fourth: Change your user to "standard" and create a new user for administrative use. It is in the System Preferences under the User icon.

Fifth: Users should be forced to login with passwords

Sixth: Consider getting anti-virus: Sophos and ClamXav are both free and are from reputable organizations. These don't have to full time - they can be used to scan the system regularly for issues.

Seventh: ensure your OS is up to date.

Securing email is a whole different issue.
posted by zenon at 10:37 AM on November 20, 2012 [2 favorites]

You remarked that your Time Machine isn't encrypted- however for recent versions of the Mac OS you can change that!

Go to Time Machine preference pane, then Select Disk... and select the disk you're using for backup. You should be able to Encrypt backup disk. Once again - this is a really crucial password so never lose it - it will be necessary if you ever try to recover the backup from a different machine.

As for the Keychain - there are several steps you can take to lock it down.

Open keychain - it is in the utilities folder (in the application folder). Once open you are interested in two "keychains" (upper left box) the login or sometimes its your mac username and the system. The login keychain is where all of your safari passwords and other saved account info lives. System has passwords used system wide - like your wireless password. Don't mess with this keychain. Clicking on login will list the name and Kind in a big list in the main window of the Keychain program. If you click on one of your passwords it will provide a summary - and clicking on "show password" (if keychain has saved one) will prompt for your current keychain/login account password to show it to you.

Set Keychain to automatically lock:
Right click on the login in the upper left - and select "Change settings" - set a time limit keychain will remain unlocked. Normally keychain is unlocked for as long as you are logged in, now it will prompt you with a password to unlock once the clock is up. I would suggest that 5 minutes is way too short. How often do you want to get harrassed to use your computer?

Extra protection: Change Keychain to use a different password: (note: this might be burdensome - you should now be signing in just to use the computer, and this step would require a second password to unlock your saved passwords)

Once again: Right click on the login in the upper left - and this time select "Change password .... " and change the keychain password.

The first step limits how long the keychain is unlocked, and the second ensures that even if someone has gained access to your account, an additional password is required to unlock the keychain.

Now the question is: where/how are you managing your essential passwords?

You should have:
1. EFI/boot password
2. Admin account password
3. User account password for your daily account
4. Time Machine backup password
5. Encrypted folder/locker password
And you may also have
6. 1pass/ password manager password
7. Keychain password

With that setup only the seriously dedicated would have a go at your data, and #5 & 6 represent nearly insurmountable obstacles.
posted by zenon at 11:40 PM on November 25, 2012

Response by poster: Update: I've started using an encrypted archive for sensitive files, and it has been really great. I'm still going through Keychain to ensure I've got all the passwords in 1Password, but I'm in the process of locking that all down. I've added a user account password for my account, and my admin account has always had a password.

I haven't updated to the newest OS, so I don't have Time Machine encrypted, but I'll probably do that in the New Year.
posted by Admiral Haddock at 11:43 AM on December 4, 2012

« Older Dry shampoo recommendations   |   What kind of eye doctor to see in Ontario? Newer »
This thread is closed to new comments.