Concerns about password and data safety in OS X

Following a recent MacFixIt article on resetting passwords in OS X, a few people have raised concerns regarding account data safety.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
6 min read

A few days ago we posted an article discussing ways to reset passwords in OS X in the event of a password being lost. After this some people wrote in with concerns about the apparent ease at which password security can be overcome, since anyone with an OS installation DVD can reset account passwords and gain access to data on a system.

This is true for the most part, and is an unfortunate security quirk that can be found in many operating systems, including OS X, Windows, and Linux. Basic password security on a system can be overcome if someone has physical access to the system, which is especially an issue as laptops and other portable systems become more popular.

Here are some concerns people may have regarding this in OS X:

By using a boot DVD to reset passwords, can someone gain full access to my data and files?
Technically, a person with a boot DVD will be able to reset any standard account password on the system; however, keep in mind that this person would need physical access to the system. Standard account passwords do not guard data from someone who has physical access to a machine, since that person can always bypass the operating system (for example, by ripping out the hard drive) to get access to the data.

If an account password is reset by an unauthorized person, won't that person now have access to all the account's keychain passwords?
OS X keychains are highly encrypted and the log-in keychain is given the account's current password when it is created. If you change the password without being logged in to the account, then the keychain will not be updated with the new password and therefore will not open automatically when you log in with the changed password. Unauthorized password changes will therefore never allow anyone access to the items stored in the OS X keychain.

Can FileVault account passwords be changed as well? Could anyone reset the master password for FileVault?
Whenever you create a new FileVault account, the encrypted disk image stores the new log-in password but also will store the "Master" password when you set it up. This means that the one master password is shared for all FileVault accounts (all the encrypted disk images will have it), but each account then has its own unique log-in password for everyday use that will unlock keychains and perform other normal functions.

The master password only allows you to access the account in case you forgot the log-in password, so you can reset the log-in password or at least access your data. Without either of these passwords there is no way to change the account's password and the data in the account will be lost if you cannot remember the passwords. These passwords cannot be changed using Apple's Password Reset tools and other means; the only way to reset them is to unlock the FileVault disk image by logging in to the account.

Pretend you have an administrative account on your system (non-FileVault), and a standard (non-admin) account that you use for your work that is encrypted with FileVault. If your laptop is stolen then a thief can use the Apple boot disc to change the Administrative account's password, but he or she will never be able to change the standard account's password. All your data will be in the account, encrypted, but without the master password or the log-in password for the FileVault account the thief will never be able to open the disk image to access the data. At most the thief will be able to use your computer's programs, but your data will be safe.

If all accounts on the system are encrypted, then at most a thief can use Single User mode to set up a new admin account and create new accounts on the system, but none of the new accounts will be able to open or access the encrypted disk images of your old accounts.

The one drawback to FileVault is that if a problem happens and the disk image gets corrupted, then it will be more difficult to restore functionality (occurrences of this are rare). One other minor inconvenience is that Apple's Time Machine backup will currently not work with FileVault accounts when you are logged in. This means that in order to back up your system with Time Machine you will have to make it a habit to log out regularly. But this is more secure anyhow, and keeping your system logged in does defeat the purpose of FileVault. In OS X Lion (the next release of OS X), Apple is supposedly including a way to back up FileVault accounts while being logged in.

What is a firmware password and how could that be affected?
An added measure of security you can set up is a firmware password, which will lock the system's firmware settings so boot arguments cannot be sent to the system during start-up. Once a firmware password is set, the system will not boot to a CD, DVD, or network volume; it will not boot to Safe mode, Single User mode, Verbose mode, or Target Disk mode; and the system's PRAM can't be reset. The only possible interaction is if you try to go to the boot manager screen by holding the Option key at start-up, but the system will require that you enter the firmware password before you can select an alternate boot volume.

This sounds pretty restrictive, but again, with physical access to the system even this password can be reset. The firmware password is set for a given hardware configuration, so if that configuration changes then the password will be disabled. Therefore a simple removal of RAM followed by a reset will clear this password. Apple does help limit access to RAM and other system components on many systems by building in a chassis lock (the Kensington locks on laptops usually prevent access ports from being opened). Therefore even if you do not physically secure the system to prevent theft, just by putting a lock on the chassis (using the loop at the back of Mac Pro systems) you will help secure it from unauthorized access.

To set a firmware password, boot to the OS X installation DVD, choose your language, and then open the Firmware Password tool in the Utilities menu. Set the password and then restart the system. While someone could clear your firmware password, there is no way for anyone to recover the firmware password from your system.

What are the best ways to secure a Mac?
With all these considerations in mind, if you want to secure your Mac the best thing to do is enable all security options that Apple offers. Here are some optional configurations you can consider:

OK security (OS X default)

  1. Basic account password

Good security

  1. Basic account password
  2. Firmware password

Better security

  1. Basic account password
  2. Firmware password
  3. System lock

Best security

  1. FileVault for all accounts
  2. Firmware password
  3. Physical lock to a solid object
  4. Encrypt virtual memory
  5. Use encrypted disk images for all external drives

While the best option in terms of security is to use FileVault, this isn't always needed. There are numerous ways to secure data in OS X without having the whole disk or user account be encrypted (such as using encrypted disk images to store sensitive data) so you can many times get away with being diligent about keeping track of your sensitive data and making sure it is stored in secure locations.

For more information and tips on securing your Mac, see our previous articles on beefing up default system security in OS X and statistics and solutions for cases of computer theft.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.