While most people worry about hackers accessing their Macs over a network, it’s much easier for someone to just walk up to a computer and browse its files. That’s especially true if it’s a laptop, or if it’s in an office, a dorm, or another space where people mill around. Here are eight ways to protect your Mac.
1. Turn Off Automatic Login
When you choose automatic login, you get to skip entering your password when you start up your Mac. But automatic login also allows anyone to start up your Mac and access your files. If you have it turned on, go to OSX’s Accounts preference pane, click on Login Options, and deselect Automatically Log In As user name.
2. Require a Password for Waking your Mac from Sleep or a Screen Saver
Your screen saver looks cool and hides your work, but anyone can press a key to deactivate it and get total access to your Mac. The same is true when your Mac is asleep. Protect against this by going to OSX’s Security preference pane and selecting Require Password To Wake This Computer From Sleep Or Screen Saver.
3. Lock Your Keychain
It’s handy that the Mac’s Keychain application stores your passwords for Web pages, network volumes, e-mail accounts, and more. Even better, when you browse the Web, the Keychain can help Safari autofill password fields without asking for any confirmation.
But what happens if you step away from your desk? Someone else could access everything from your online banking site, to your .Mac e-mail, to accounts at online retailers—without needing to know your passwords.
Protect yourself by changing your Keychain settings. Open Keychain Access in the Applications: Utilities folder. Select your keychain (usually your user name) in the drawer (click on Show Keychains in the toolbar if it’s not visible). Then choose Edit: Change Settings For Keychain keychain name. Select Lock After 5 Minutes Of Inactivity, or change the time limit to 1 minute if you’re really paranoid. Then select Lock When Sleeping for more security.
4. Change Your Keychain Password
By default, the Keychain password is the same password you use to log in to your Mac. Even if you’re the only administrator, others could potentially start up your computer with an OS X installation CD and reset the administration password. If they did that, they could reset all the user account passwords and effectively access your keychain. To protect against this, you need a Keychain password that’s different from your user password. Open the Keychain Access application, and select your keychain in the drawer. Select Edit: Change Password For Keychain keychain name, and then enter a new password.
5. Store Your Sensitive Files in an Encrypted Disk Image
If you have only a handful of sensitive files, as opposed to a Home folder chock-full of top-secret information, it’s easy to store them in a password-protected encrypted disk image. When you want to mount an encrypted disk image, you need to enter a password. When you’re finished working with its files, just eject the disk image. For detailed instructions, see “Protect Data in Panther,” Working Mac, June 2004.
6. Completely Erase Sensitive Files
If you’ve worked on files that you don’t want others to see, you can delete them when you’ve finished. But they aren’t completely deleted—bits and pieces of your files remain on your hard disk, and some file-recovery programs could let another user access them. To completely delete sensitive files, select Finder: Secure Empty Trash. This not only deletes the files but also overwrites them so no one can get at them with file-recovery software.
7. Use FileVault
The ultimate level of protection for your files is to encrypt them. In addition to storing some files in an encrypted disk image, (as explained earlier), FileVault, the feature built into Panther that encrypts your home folder, provides total protection even if someone steals your Mac and removes your hard disk. However, an administrator can reset the FileVault password, so your files are not protected from everyone unless you’re the administrator. (Your user password opens FileVault, so if you’ve left automatic login on, this protection isn’t worth squat.)
To access FileVault, go to the Security preference pane. FileVault creates an encrypted disk image of your entire Home folder; instead of you creating one manually, as mentioned earlier, and moving individual files into it, the operating system handles this, mounting the disk image when you log in and unmounting it when you log out. But when you use FileVault, all your files are encrypted—your photos, music files, movies, and anything else in your home folder.
Early versions of Panther had problems with FileVault that caused data loss, but Apple seems to have resolved these, and FileVault seems safe to use now.
8. Set an Open Firmware Password
As the truly paranoid know, there are three ways to get around a login password: start up the Mac from an OS X installation CD, boot a Mac in target mode while it’s connected to another Mac, or start up a Mac from a network server. So if someone gets physical access to your Mac and has the right tools, he or she can access anything that’s not encrypted.
If you want to prevent users from gaining such access, you can set a low-level password that must be entered even before your Mac begins booting. Open Firmware is special code that is not part of OS X—it’s actually in a chip in your Mac. Like a PC’s BIOS, this chip runs before anything else at startup.
It’s not infallible, but it provides solid protection when your Mac lives in a location that’s accessible to the public. See the Apple technical article “Setting up Open Firmware Password Protection in Mac OS X 10.1 or Later” for more on setting an Open Firmware password.