Lock down your Mac’s security
Tighten your Mac’s security and ensure files and web accounts stay safe.
When you first set up your Mac, the only security measure that’s enforced is that you add a password to your user account. The Setup Assistant makes no mention of extra measures you might want to enable, even though several are built into macOS Sierra. Bear in mind that the features we’re about to look at are defences against physical attack, rather than protection against online ones such as security holes in your web browser or social engineering that tries to trick you into ill-advised action.
1 TURN OFF AUTOMATIC LOGIN
It’s a risk if your Mac is set to log into a user account automatically on startup: all an intruder needs to gain access is hold down the power button to turn off the Mac, then restart. Automatic login can be disabled under Login Options in Users & Groups or in Security & Privacy in the General tab.
2 OBFUSCATE LOGIN DETAILS
The login window shows account names by default, leaving only passwords to be guessed. Under Login Options, switch to ‘Name and password’ so both need to be entered to gain access. If you use Fast User Switching, set it to show an icon so the account name can’t be read from your screen.
3 RESTRICT YOUR ABILITIES
The first user you create when you first set up your Mac is an Administrator with top-level rights. It’s safer to use a Standard account day-to-day, but an Administrator account is needed for system changes. Create a new admin user in the Users & Groups pane, log out, then log into the new account. Select your regular account and untick ‘Allow user to administer...’ to reduce its rights.
REQUEST PASSWORD TO WAKE 4
By default, waking a Mac from sleep or its screensaver allows access to whatever account was left signed in. Under General in the Security & Privacy pane, turn on the option that requires a password to wake, and set how soon it’s needed. Anything longer than five seconds presents a risk if your Mac is left unattended. It’s more convenient than logging out every time.
5 TIGHTEN KEYCHAIN SECURITY
Your account password also protects your Keychain, which gives you access to Safari’s AutoFill feature, for example. The Keychain can be given its own password so that separate consent is needed. To do this, simply open Keychain Access (you’ll find it in ‘Applications/ Utilities’), right-click ‘login’ in the Keychain list and then choose ‘Change Password...’
6 LOCK THE KEYCHAIN
In the same menu as mentioned in the tip above, choose ‘Change Settings...’ for options that lock the Keychain when your Mac goes to sleep and after a period of inactivity. In Keychain Access’s preferences, you can add an icon to the menu bar to display the Keychain’s status and manually lock it. When the Keychain is locked though background system services may prompt you for access.
7 AN UNPLUGGED HOLE
Without a firmware password, Recovery mode gives anyone the ability to reset any account’s password by typing “resetpassword” in Terminal. The Keychain password is unaltered by this, so an intruder won’t be able to read website logins in Keychain Access or Safari, but they will be able to access files stored locally.
8 SET A FIRMWARE PASSWORD
Restart your Mac and hold ‘Command-R’ at the startup chime to start in Recovery mode. When it finishes loading, go to ‘Utilities > Firmware Password Utility’ and set a password. Make sure you don’t forget it — you’ll need it on occasions such as restoring from Time Machine, and to use other startup key combos.
9 P*55WRD TIP
A strong password is one that can’t be guessed either by a person or figured out by a program, and ideally uses a combination of letters, numbers and symbols. Be careful using symbols, though, as the keyboard layout at the password box may put them on unexpected keys. Also avoid the temptation to reuse the same password for everything!