HolidayBuyer's Guide

OS X 10.7.4 fixes FileVault password snafu

A debugging error that left some users' passwords stored in plain text in OS X 10.7.3 has been closed in OS X 10.7.4.

Last week a security hole in OS X 10.7.3 was uncovered where the account passwords for Lion users who had upgraded from Snow Leopard and who were still using the legacy FileVault encryption scheme were being stored in plain text in system log files. This issue happened apparently because a debugging flag for the OS software had been left enabled in the public release. Following this finding, Apple today issued the next version of OS X Lion, which along with other fixes and tweaks, closes this security hole for these users.

The security hole was found to be a matter of carelessness on the part of one of Apple's software engineers, and for those affected, the only options to avoid it were to disable the legacy FileVault technology in place of FileVault 2 (Apple's new approach to encryption), followed by changing the account password and optionally removing the log files that contained the passwords.

In the OS X 10.7.4 update that was released today, Apple has apparently addressed this security issue so passwords for people who still use the legacy FileVault technology will no longer have them logged to the system logs. The update does not clear out any log entries that contain the passwords, so to address this, if your system is one that uses FileVault, then run the following commands to clear out the system's security logs:

sudo rm -f /var/log/secure.log
sudo rm -f /var/log/secure.log.*
sudo rm -f /var/log/asl/*

These commands perform a more refined version of the procedure I outlined in previous instructions on how to remove the passwords from the log files. These refinements come from Apple's provided instructions for the procedure. If you would like to keep your security logs intact but just clear out entries that contain the passwords, then you can run the following script that MacFixIt user NightFlight1973 contributed to our previous coverage of the bug:

cd /var/log
bzip2 -d secure.log.*
for LOG in secure.log*; do grep -v passwordAsUTF8String $LOG >${LOG}.T; mv ${LOG}.T $LOG;done
bzip2 secure.log.*
chmod 600 /var/log/secure.log*

To run this script, open the Terminal utility (in the /Applciations/Utilities/ folder) and then perform the following steps:

  1. Create a new script file by running the following command:


  2. Next copy the above text for the script and paste it into the Terminal window.
  3. Press Control-O to save the file, followed by Control-X to exit the text editor.
  4. Run the following command to allow execution of the script:

    chmod +x

  5. Execute the script with the following command:

    sudo ~./

When this is done, your log files should be clear of any entries that contain your password, and at this point you can remove the file called "" that is in your home folder. Overall if your system has not been used by others during the time you had OS X 10.7.3 on it, then you likely have nothing to worry about in terms of your password's security, but you may still consider changing it just to be on the safe side.

Questions? Comments? Have a fix? Post them below or !
Be sure to check us out on Twitter and the CNET Mac forums.