I know that anyone can access my computer whenever I’m not looking, so I’ll try to prevent others from getting at my private data.
Use admin accounts for administration only
When you initially set up your Mac, OS X creates a single user account for you. That account includes administrative rights, which give you the authority to install, change, or delete anything on the computer.
Using that administrator account as your normal, day-to-day login account can be risky. First, you make it easier to mistakenly change or delete something crucial to your computer’s operation. And second, you open a potential security hole: if you step away from your computer without logging out, someone else will have complete access to your Mac’s data and settings. So the safest course is to set up a second user account, without administrative privileges, and use that as your main day-to-day account. When you need to install software or perform some other administrative tasks, you can still log in to the administrator account.
To set up a new nonadministrator account, open the Accounts pane of System Preferences. If the lock icon in the bottom left corner is closed, click on it and enter your administrator password. Then click on the plus (+) icon to create a new account. You can use the same first and last name as in your existing account, but you must choose a different Short Name. Enter and verify a password, but do not select Allow User To Administer This Computer. Then click on Create Account. If you want to transfer any data (such as preferences files or e-mail messages) from your current account to the new one, drag the items from their current location in your Home folder to the corresponding location in the new account’s Home folder.
4. Makes you practically invulnerable.
3. Good, strong protection—but a really determined intruder can overcome it.
2. Helps deter casual meddlers, but someone who wants to get in will.
1. Makes you feel better, but won’t really keep out intruders.
4. Let’s be honest: it’s a pain in the neck.
3. Takes consistent, considerable effort.
2. Takes a little effort, but it’s not a big problem.
1. Set it and forget it.
Now, choose Log Out user name from the Apple menu and log back in as the new, nonadministrative user. From now on, use your standard account except when you have a specific reason not to.
Don’t share user accounts
If more than one person uses your computer, make sure each user has a separate account. Doing so keeps mail, documents, keychains, browser history, and other personal data safe from casual snooping.
To add an account on your Mac, open the Accounts pane in System Preferences. If the lock icon at the bottom of the pane is closed, click on it. When the Authenticate dialog box appears, enter your administrator password. Then click on the plus (+) button right above the lock, enter long and short user names and a password for the new user, and click on Create Account. Do not select the Allow User To Administer This Computer option.
Once your accounts are set up, be sure to use them. Whenever you finish working on your computer, choose Log Out user name from the Apple menu. The computer will then display the login screen, where the next user can enter a user name and password to log in.
Turn on password prompts
By default, OS X logs you in when you turn on your computer. But forcing your Mac to ask for a password on such occasions can increase your security.
First, open the Accounts pane in System Preferences and, if necessary, click on the lock icon at the bottom of the window and authenticate with your administrator password. Then click on Login Options and deselect the Automatically Log In As option.
Next, go to the Security preference pane and make sure Require Password To Wake This Computer From Sleep Or Screen Saver is enabled. In that same window, select all four of the check boxes at the bottom: Disable Automatic Login ensures that all users have Automatically Log In disabled; Require Password To Unlock Each Secure System Preference prevents changes to systemwide settings without an administrator password; Log Out After XX Minutes Of Inactivity logs you out (closing any encrypted disk images in the process) if you step away for an extended period of time (I suggest entering a small interval, such as 10 or 15 minutes); and Use Secure Virtual Memory encrypts portions of your RAM as they’re swapped out to your hard disk.
For even greater security, consider using Griffin Technologies’ SecuriKey ( ). Once you’ve set up the software for this USB device, you must have the key physically plugged into your computer, and enter a password, to access your files.
Encrypt sensitive files
If your computer were stolen, the thief would be able to read any of your files. Requiring a password to log in wouldn’t keep your data safe, because someone could use an OS X Install disc to reset your password, or remove your hard drive and view the files on another computer. Encrypting your most sensitive files is the best solution.
FileVault, introduced in OS X 10.3 (Panther), can do this, but encrypting all your data in this way can be dangerous; even a minor disk error could leave you unable to access any of your files. A better way is to create an encrypted disk image.
In Disk Utility, create a new disk image (File: New: Blank Disk Image). Then, under Encryption, choose AES-128. From the Format pop-up menu, choose Sparse Disk Image and specify a name and location. When the Authenticate dialog box appears, choose a password; clicking on the key button next to the Password text box will summon Apple’s Password Assistant, which can help you generate a secure one. (See full instructions; if that seems like too much trouble, you can also create an encrypted disk image with a third-party product such as PGP Desktop Home [$99].)
Once you’ve created an encrypted disk image, you can use it to store any files containing private data. Just remember that as long as the disk image is mounted, your files are vulnerable. So be sure to log out (or at least unmount the disk image) whenever you step away from your computer.
Attach a security cable
Every Mac has a small slot (marked by a lock icon) designed to accommodate security cables. You can wrap the cable around an immovable object or attach it to a desk with a mounting bracket to prevent someone from walking off with your computer (or opening its case—say, to remove your hard drive). For laptop users in particular, I strongly recommend securing your Mac anytime you take it out of its case in a café, library, or other public place.
Although security cables are great for when you’re out on the town, they provide little deterrence against theft when your computer is at home and you’re away. So be sure to keep your laptop out of sight when it’s not in use; locking it in a drawer or cabinet not only conceals it but adds another barrier to theft.
If you’re really serious, you can buy a laptop locker (such as those sold by Datum Filing ); it bolts to your desk or other office furniture and offers a stronger lock than a typical office cabinet does.
[ Joe Kissell is the senior editor of TidBits and the author of Take Control of Passwords in Mac OS X (Take Control Books, 2006). ]Nonadmin Accounts: When you regularly use a nonadministrator account, it’s harder for someone to walk up and take over your Mac.Disable Automatic Login: Although setting your Mac to log in to your account automatically is convenient, it’s also unsafe.Encrypted Disk Images: Storing your files in a password-protected, encrypted disk image means nobody can casually browse through them.