Creating and Managing Accounts
Welcome to the first part of this article on Securing Leopard. I’m going to start with the creation and management of accounts, as this is one of the first things you do when setting up a new Mac OS X install. The way you configure and manage accounts on your system can have an impact on your security in the long run.
To begin with it’s worth mentioning that although Mac OS X sets you up with an Administrator account by default, it is generally recommended that you don’t use it on a day-to-day basis. Instead you should create a second standard user account, without administrative privileges, and use that. The reasoning behind this is that if you unknowingly run a malicious program, or someone manages to exploit a vulnerability in OSX and your account is compromised, they will only have basic user privileges. You will still be able to perform administrative functions, but OSX will prompt you for administrative credentials to do so.
Everything covered on this page can be configured in System Preferences -> Accounts.
You’ll regularly hear me go on about the importance of choosing secure passwords. Striking the balance between secure and memorable is perhaps the topic of another article, but I’ll outline some general guidelines that I believe will help. Despite what one might believe (particularly when you work in the tech/security industry), the vast majority of ‘normal’ people still choose relatively insecure passwords. By simple I mean dictionary words, short strings of digits, other personally-identifying information such as names, dates, etc. If your passwords – you do use more than one don’t you? – are any of these, then read on…
When choosing a password you may want to consider the following tips:
- Minimum length of 8 characters. Ideally 10+ characters for a strong password, but a minimum of 8 will do if you follow these rules.
- Not a dictionary word. Ideally your password should be composed of a completely random string of characters. Admittedly this isn’t for everyone. If you feel the need to absolutely use dictionary words, then misspell them in a non-obvious way, maybe by swapping certain letters (eg. “bzrthday”). Alternatively put two completely unrelated words side by side such as “jumpstarbase”. No matter what, you want to ensure that your password has no chance of appearing in even the most complex dictionaries used by hackers. Note that if you still choose an obfuscated dictionary word, it should still conform to the rest of the rules in this list.
- At least one lowercase and uppercase letter (jumPstarBase)
- At least one digit (jumP6starBase). Most people swap obvious letters for digits that look the most similar (eg. e=3). It’s better to do this than not use any digits at all, but if possible use a completely random digit. Also, avoid just putting a number (eg. 1) at the end of your password. Lots of people choose “Password1” just to conform to password policies – bad.
- At least one symbol (jumP6star*Base). Again following the tip above, try to avoid replacing S with $, or just putting ! at the end.
- Memorable! If you need to write your password down, then it’s not a good password. There are a few exceptions to this rule, which may tempt you to write passwords down, and I will cover the secure storage of passwords in an encrypted database (such as KeyPass) later in this series.
Ideally you’d keep applying the above rules until you ended up with something like jUmP6st^r*Baze – a secure password as any if you are keen. This may be overkill for you, but as long as you stick to the minimums recommended above, you’re probably still fine with something like bZr7hd*y. If you want to play around with password creation in a bit more depth, check out PasswordMeter (don’t use your real password).
Lastly, it’s not good enough to have one secure password and use it for EVERYTHING. In an ideal world you’d have one password for each program or password – but not very realistic for most people. My recommendation is to have a few secure passwords you use for different levels of ‘sensitivity’:
- One password for logging in to your computer.
- One password for your email account.
- One password for ‘insecure’ and non-critical websites (eg. random forums or websites that force you to register)
- One password for medium-level websites (eg. Facebook, LinkedIn, etc – where aspects of your privacy/identity are in play)
- One password for critical sites (eg. Online Banking, PayPal)
Again, this is a bare-minimum recommendation. I can already hear other security professionals objecting to having the same password for online banking as for PayPal. While I agree with them in principle, the above method is still far better than using a single password for every website you have an account on. If you are able to manage that many passwords, always use a unique password. Again, this can be done quite easily if you use something like KeePass to store your passwords.
Mac OS X contains a useful password assistant which also helps you choose a secure password. When creating an account in OSX you get the following window. Note that if you don’t feel you need it, keep the ‘hint’ box empty. This is normally displayed if you enter the password incorrectly three times, and there’s no point in giving an attacker any clues. FileVault is Apple’s data encryption feature, and is covered in Chapter 3: Security, FileVault and Firewall.
Clicking on the little key icon next to the password field displays the password assistant:
If at all unsure about the security of your password, use it. Interestingly, it will detect simply-obfuscated dictionary words, as seen in the screenshot above using the word ‘armadillo’. The ‘Memorable’ option in the dropdown attempts to create a password you can remember by making it easier to pronounce (it may use dictionary words in the process). The FIPS-181 compliant option doesn’t create very good passwords, so I’d avoid it.
Login Options and Guest Account
Once you’ve created your account(s), at the bottom-left of the Accounts window is the Login Options.
Note: You should avoid naming your Administrator account as done in the above screenshot – it’ll just make it easier for someone to guess your admin login.
The reasoning behind the settings on this pane is pretty straightforward:
- Turn off automatic login. You don’t want someone to turn your computer on and be immediately logged in!
- Display login window as name and password. This just makes it harder for someone with access to your computer to try and guess your password. This way they’d have to guess your username too and, unless it’s something very obvious, it’ll make the task significantly tougher.
- The showing of restart, sleep and shut down buttons is up to you. Some people might not want to allow anyone to just shut down their machine.
- Disable showing of password hints. As previously mentioned, there’s no point in providing attackers with any tips. If I wanted to try breaking into an account, the password hint is the first thing I’d look at. If you do decide to use one, make sure it does not provide an attacker with information that could be used to guess your password.
- If you won’t be using multiple users on your machine, disable the fast user switching menu. If you do need it, then I recommend setting it to display only an icon. It amazing the amount of information you can get just by looking at someone’s screen, desktop icons, dock items, etc. In this case you’re allowing anyone who’s looking to see your username. It’s not critical, but it’s just another small step that can help.
The Guest account is a useful feature that allows people without an account on a Mac to log in (without the need for a password) and use it. After they log off, any data they accumulated during their session is deleted. The guest account can be restricted using Parental Controls options.
Needless to say, the guest account can pose a significant threat to the security of your system. Anyone can log in – you can’t set a password for the guest account – and execute code on your machine. They can potentially download malicious software that can allow them to elevate their privileges to that of an administrator, and essentially take control of your computer. Unless you have a particular need for this feature, I’d recommend turning it off. If you do choose to use it, then make sure you restrict it significantly using Parental Controls.
An alternative to the built-in Guest Account functionality, is to create a normal user account, for which you can set a password, and then apply Parental Controls. The only downside to this is that the data accumulated during any given session is not automatically deleted.
If I’m honest, Parental Controls is not a feature I’ve ever really used. I’m not a parent, and I have far more experience breaking out of such controls than using them. That said, OSX’s parental controls are very intuitive and allow you to limit which applications can be used, implement website filters and enforce time restrictions.
Next: Networking and Services