|
|
Password protection on Mac OSx
|
|
|
|
Fresh-Faced Recruit
Join Date: Sep 2007
Status:
Offline
|
|
Hey,
I'm in love with my new mac but, I just read that if someone wanted access to the files on my HD, all they would have to do is insert a Mac OSx install disc and reset the password. This is very disconcerting for me... is there a way to make my files safer?
Thanks for the help
Tim
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: May 2007
Location: Canada
Status:
Offline
|
|
Yes, you can reset the login password with an install disk. To stop that, you can institute an open firmware password to prevent booting from a dvd.
However, that can be bypassed by changing the ram configuration.
So in the end if someone is determined they can get to what's laying around your hard drive...
So the solution is to make a disk image with encryption and choose a strong password. Then store your important files in there. You'll have to mount the image every time you want to view or change those files but it's the price you pay for security.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
If somebody sketchy is going to be physically ****ing around with your computer, they could just hook the hard drive up to a computer of their own and there's nothing any OS could do to stop it. Storing sensitive files in an encrypted disk image is the best suggestion.
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
Read the Help about FileVault. This is what the feature is designed for.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
I would recommend an encrypted disk image over FileVault. It literally does the same thing, except FileVault does it to your entire home folder and is kind of dodgy.
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
|
|
|
|
|
|
|
Baninated
Join Date: Aug 2007
Location: i have moved to another location per peter's message
Status:
Offline
|
|
It has always, always been the case with computers that once you have physical access then it is only a matter of time before someone gets your data. FileVault helps with this issue, but it's not on by default. In Unix/Linux systems all one has to do is replace the /etc/password file and they have access. Booting into single user mode is the same as it gives you root access.
The best thing you can do is turn on FileVault, use good, strong passwords and use encrypted folders. But this might be a bit paranoid.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Mar 2006
Status:
Offline
|
|
Plus a mantrap in your office.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Sep 2007
Status:
Offline
|
|
Originally Posted by Aegis
Yes, you can reset the login password with an install disk. To stop that, you can institute an open firmware password to prevent booting from a dvd.].
Thanks for the help guys, I'm not really worried about physical security. Does anyone know how to institute an open firmware password on an Intel Macbook?
|
|
|
|
|
|
|
|
|
Baninated
Join Date: Aug 2007
Location: i have moved to another location per peter's message
Status:
Offline
|
|
(
Last edited by pinenuts; Sep 5, 2007 at 11:46 AM.
Reason: misinformation)
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Nov 2005
Status:
Offline
|
|
Originally Posted by Chuckit
I would recommend an encrypted disk image over FileVault. It literally does the same thing, except FileVault does it to your entire home folder and is kind of dodgy.
Yes. Unless your are a CIA agent, you probably don't need all your files encrypted. If you mess up with File Vault, you will have a real problem PLUS your backup procedures become much more complicated with File Vault.
I created some read-write disk images using Disk Utility (in Applications->Utilities) and chose the option for encription. Then enter a gigantic password with upper and lower case, numbers and symbols. When you open the disk image BE SURE TO UNCLICK THE BOX THAT WILL SAVE THE PASSWORD IN THE KEYCHAIN BECAUSE THIS DEFEATS THE PURPOSE OF THE PASSWORD.
I created a small encrypted disk image (1MB) for some small files, that I access often, and for backups I just copy the whole file. I then have a bigger encrypted disk image for bigger files that I don't access too often.
|
Mac Pro Quad: 2.66GHz; 4 GB Ram; 4x500GB drives; Radeon X1900, 23" Cinema Screen, APC UPS
PowerBook G4: 1.33GHz; 768MB Ram; 60GB drive
|
|
|
|
|
|
|
|
Junior Member
Join Date: Aug 2007
Status:
Offline
|
|
This thread title is a little misleading.
|
WhiteBook 2GHz Core 2 Duo, 3GB RAM, 250GB WD Scorpio HD
Wireless Mighty Mouse, Logitech S530 Wireless Keyboard & Mouse, Hyundia 22" LCD
80GB Apple HD in Omata USB Caddy, 500GB FreeCom NAS formatted as HFS+ so no longer NAS
M-Audio Ozonic keyboard, M-Audio Solaris microphone, M-Audio BX5a speakers, Logic Studio
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2005
Location: Los Angeles, California
Status:
Offline
|
|
I agree with SpencerLavery.
|
Linkinus is king.
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
If an intruder has physical access to the machine, the machine is compromised, pure and simple. File Vault has "issues" at times, and forgetting the password or a glitch can lose ALL your data. Physical security is the absolutely essential key to computer security; if you don't have the machine in a secure location and worry about someone using your OS X disc, LOCK UP THE DISC.
Note that there is no such thing as Open Firmware on Intel Macs. For pre-Intel Macs, here are Apple's Open Firmware password instructions For Intel Macs, I can't find definitive instructions for setting the (available) firmware password-hopefully someone will chime in.
And I'm going to change the title to something that actually relates to the subject.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
Originally Posted by ghporter
Note that there is no such thing as Open Firmware on Intel Macs. For pre-Intel Macs, here are Apple's Open Firmware password instructions For Intel Macs, I can't find definitive instructions for setting the (available) firmware password-hopefully someone will chime in.
Pinenuts posted a link above detailing how to set a firmware password on Intel Macs. You just use the Firmware Password Utility on the install DVD. You can also set it via the Terminal the same way you would on a PowerPC Mac, with the nvram command.
|
Vandelay Industries
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Ah. On the DVD! I went looking for the utility as if it were installed with the OS. It makes more sense that it's on the DVD, and thus harder to access and mess with/up. I had sort of glossed over pinenuts' post-sorry pinenuts!
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Dec 2000
Location: Staffs, UK
Status:
Offline
|
|
Originally Posted by rehoot
BE SURE TO UNCLICK THE BOX THAT WILL SAVE THE PASSWORD IN THE KEYCHAIN BECAUSE THIS DEFEATS THE PURPOSE OF THE PASSWORD.
Not true. As long as your login password is strong, the keychain is a safe way of storing multiple passwords. You can then safely make the other passwords, for files and websites, etc insanely strong, because you'll never have to remember them. Click on the little key icon that appears when you're asked to create a password, to open the Mac OS X password assistant, which will help you make some very strong passwords.
If someone gets hold of your encrypted files, they will have very little chance of breaking the password, and even if they do, that password will only be good for that one file.
Of course, if you're login/keychain password is 'password' or 'abc123' then all this advice goes out of the window.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
Originally Posted by Gee4orce
Not true. As long as your login password is strong, the keychain is a safe way of storing multiple passwords.
This brings us back to the beginning of this thread: If somebody has physical access to your computer, they can change your password to "paperclip" or whatever they want. That's why we were suggesting an encrypted disk image if this is a major concern.
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Dec 2000
Location: Staffs, UK
Status:
Offline
|
|
Ah - yes, in that case, fair point.
Interestingly, there is a document available from the NSA that describes appropriate security measures on Mac OS X. One of it's suggestions is to actually store your keychain on a removeable flash drive - and take this with you when you leave your Mac.
Personally, for super-secure documents I use an encrypted partition on a USB flash disk (thanks to Knox), and keep that with me. I have the password for it stored in my keychain, but that's no use to anyone if the documents are in my pocket ! And if I should loose the flash drive, the AES128 encrypted image is rated by the NSA as good for Top Secret information !
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
You can't change the Keychain password unless you have the original password. If someone steals your computer, when they reset the login password with an OS X disc, they do not reset the Keychain password. You can only change the Keychain password through the Keychain utility or through System Prefs and only if you have the existing password.
|
Vandelay Industries
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Nov 2005
Status:
Offline
|
|
Originally Posted by Gee4orce
Not true. As long as your login password is strong, the keychain is a safe way of storing multiple passwords.
The level of security that is needed will dictate the best course of action -- for some people putting all passwords in the keychain is good enough.
I stopped using the key chain long ago, so I'm not sure about the current features. I'm not sure if OS X allows you to leave it unlocked??? If you are not forced to enter a keychain password, then you might leave it unlocked by mistake (Murphy's law). This might mean that the computer repair person or anyone who uses your computer could get to your banking information or other important files.
|
Mac Pro Quad: 2.66GHz; 4 GB Ram; 4x500GB drives; Radeon X1900, 23" Cinema Screen, APC UPS
PowerBook G4: 1.33GHz; 768MB Ram; 60GB drive
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|