Publishers of technology books, eBooks, and videos for creative people

Home > Articles

User Accounts

This chapter is from the book

Securing Your Macintosh

With its UNIX core, Mac OS X has many robust built-in security features that restrict attempts to compromise the system, either intentionally or accidentally. However, as with any security system, there are ways to bypass or override the controls. In the end, to secure your machine, you must control physical access to the computer as well as user access to the files on the computer.

There are various types of passwords used in Mac OS X, although some of these are optional:

  • Login password — Each user should have a single login password that is used in the login window and prevents other users from accessing his or her files. (Administrators' login passwords also allow them to change system-wide settings.)

  • Open Firmware password — The computer itself can be protected by a single password that prevents unauthorized users from altering the startup process.

  • Master password — An administrator must create a single master password before users can protect their home folders with FileVault. The master password acts as a back door for resetting passwords on FileVault-protected accounts.

  • Resource passwords — Users may create or enter passwords as needed in Web sites, servers, applications, folder archives, and encrypted disk images. For example, to retrieve email, your email client will require the password provided by your Internet service provider.

  • Keychain password — This password unlocks a user's keychain, a Mac OS X feature that simplifies the storage and automatic retrieval of resource passwords as they are needed.

    To maintain a secure company or departmental network and a safe network environment for your users, you must ensure that everyone on your network uses only high-quality passwords.

Creating Passwords

Whenever you create a password, it is important to pick one that will be easy to remember but difficult for other people to guess. If you allow users to transcribe passwords, the written passwords should be stored in a secure place to prevent unauthorized access to the accounts.

The passwords used in this book are not good examples of secure passwords. They are used only for simplicity's sake. However, Mac OS X 10.4 includes a tool called Password Assistant that determines the quality (“strength”) of specific passwords and suggests good passwords. To access Password Assistant, click the small icon of a key that appears in Accounts preferences, Security preferences, Keychain Access, and other Mac OS X 10.4 utilities.

If you choose Memorable from the Type pop-up menu, Password Assistant will generate a password of the specified length, composed of uppercase and lowercase letters, punctuation, and numbers. Such passwords are designed to be easy to remember but not vulnerable to dictionary attacks. A dictionary attack is a common intrusion attempt, where an intruder or intrusion tool simply tries to authenticate with common usernames and words that can be found in a dictionary for the passwords (for example, jsmith as the username and workbook as the password.)

High-quality passwords would be SuP3rM@n!, not superman; l%%k@meNøw, not lookatmenow; and E2B3Two®, not earlytobedearlytorise. Enter these passwords into Password Assistant and watch the Quality indicator. For even stronger passwords, choose a different setting from the Type pop-up menu, or increase the length of the password. A standard user can change his or her own login password, but before doing so the user must enter the current password for authentication. If a user forgets a password, any administrator user on the computer can change the password using Accounts preferences. A password for any account, including the System Administrator, can be changed by booting from the Mac OS X Install DVD and choosing Utilities > Reset Password.

Setting an Open Firmware Password

You can set an Open Firmware password that must be entered whenever anyone attempts to alter the normal startup procedure by pressing a modifier key (such as Option to choose a different startup disk). For instructions, refer to Knowledge Base document 106482, “Setting up Open Firmware Password Protection in Mac OS X 10.1 or later.”

Encrypting Home Folders with FileVault

Although login passwords provide some protection from users gaining access to documents stored in another user's home folder, other users can still gain access to those files. For example, anyone with a Mac OS X Install DVD or an administrator account on the computer can reset a password and log in to the account. Even without changing passwords, someone with System Administrator access can access any file on the system, including those in another home folder.

FileVault enables users to encrypt the contents of their home folders, allowing file access only when the user is logged in. When a user enables the FileVault feature, the user's entire home folder is transferred into an encrypted sparse disk image (which is covered in more depth in Lesson 4, “File Systems”).

When the user logs in to the computer locally (not via ssh or Remote Access), the disk image is decrypted and mounted in the Users folder, allowing the user to use his or her home folder. When the user logs out, the disk image is unmounted and re-encrypted, leaving only the disk image file in place of the user's home folder contents. Other users, including administrators, may access the disk image file, but because the disk image file is encrypted, they can't access the contents without the password. The time necessary to encrypt and decrypt the home folder depends upon the size of the folder and the speed of the computer.

One of the drawbacks of encrypting data is that if the user forgets his or her password, access to the files in the home folder is lost. If an account has FileVault enabled, an administrator user cannot use Accounts preferences to change that account's password, nor can the administrator user turn off FileVault for the account; only the user can do that.

Because users often forget passwords, Mac OS X provides a master password feature to allow passwords on FileVault-protected accounts to be reset. The master password is used only as a back door for recovering FileVault-encrypted accounts. If during login a user enters three incorrect passwords for his or her FileVault-encrypted account, the account's password hint is displayed along with a Reset Password button. After the user clicks Reset Password and enters the master password (obtained from the administrator), he or she can set a new login password.

If you forget the master password, you can reset it, but you must know the passwords for any accounts with FileVault enabled:

  1. As an administrator user, delete the master password keychain file (/Library/Keychains/FileVaultMaster.keychain). When the master password keychain is deleted, Mac OS X assumes that no master password is set yet.
  2. In Security preferences, set a new master password.
  3. Log in to each account that has FileVault turned on, and use Accounts preferences to reset the password for each account.

Setting the Master Password

If you want to use FileVault to encrypt your home folder, you must first set the master password for the computer in Security preferences. This password is different from the password you set in Accounts preferences.

To set the master password:

  1. Log in as Apple Admin.
  2. Open System Preferences and click Security.
  3. Click Set Master Password.
  4. Authenticate as Apple Admin if requested.
  5. Type applemp in the Master Password and Verify fields.
  6. Click OK.

    The master password is set for the computer. You can change it later if you want to by clicking the Change button in Security preferences.

  7. Quit System Preferences.
  8. Choose Apple > Log Out Apple Admin.

Encrypting a Home Folder

To encrypt a home folder using FileVault, create a new user for this exercise and then encrypt the home folder:

  1. Open Accounts preferences.
  2. Unlock the Accounts pane by authenticating as Apple Admin.
  3. Add a new user, Warren Peece (Short Name: warren, Password: peece).
  4. Log out of the Apple Admin account.
  5. Log in to the Warren Peece account.
  6. Open Security preferences.
  7. Click the lock icon at the bottom left of the window, then authenticate as Apple Admin.
  8. Click Turn On FileVault.
  9. Type Warren's password (warren) in the Password field and click OK.

    A warning message appears asking you if you are sure you want to turn on FileVault.

  10. Take a moment to read the warning message, and then click Turn On FileVault.

    The system logs out Warren and displays a message indicating that the system is encrypting Warren's home folder and displays a progress bar. The system creates a sparse disk image, copies the home folder into the image, and deletes the old home folder. When the system is finished encrypting Warren's home folder, the login window appears.

Verifying the Home Folder Encryption

Once a home folder is encrypted, the contents of the home folder are inaccessible unless the owner of the home folder logs in. Do the following to verify that the system encrypted Warren's home folder:

  1. Log in as Apple Admin.
  2. Go to /Users/warren.

    You should see a file named warren.sparseimage. This is the disk image file where Warren's home folder is stored. If you double-click the disk image file, the system prompts you to enter a password. If you enter Warren's password, the disk image mounts.

  3. Click Apple Admin in the menu bar, and choose Warren Peece from the user accounts menu.
  4. Log in using Warren's password.
  5. Go to /Users/warren.

    Notice that Warren can access the contents of his home folder.

  6. Choose Apple > Log Out Warren Peece.

Resetting a User's Password

If Warren forgets his password, the contents of his home folder are inaccessible, unless his password is reset using the master password.

  1. In the login window, select Warren Peece.
  2. In the Password field, type ABC.
  3. Click Log In.

    Because ABC isn't Warren's password, the window will shake.

  4. In the Password field, type 123.
  5. Click Log In.

    Again, access will be denied.

  6. In the Password field, type xyz.
  7. Click Log In.

    Because logging failed three times, the login window will request the master password.

  8. In the Master Password field, type applemp.
  9. Click Log In.

    An alert appears explaining that the user's old keychain will be saved and a new one created.

  10. Click OK.
  11. In the New Password and Verify fields, type peece.

    This will be Warren's new password.

  12. Click Log in.

    The computer will then log in Warren.

  13. Choose Apple > Log Out Warren Peece.

Setting Security Options

You've just learned how to set a master password and turn on FileVault in Security preferences. This pane has a collection of other options to help protect your system from unauthorized use.

You can specify that a password is required to wake the computer from sleep or from a screen saver. You can also disable automatic login to force users to authenticate, require users to enter a password to unlock a secure system preference, and log out a user after a specific number of minutes of inactivity.

A new feature in Mac OS X 10.4 is the use of secure virtual memory. This addresses a rare issue in which private information could be obtained by searching the information left over in the virtual memory scratch files. Select the “Use secure virtual memory” checkbox to take advantage of this feature.

Using Keychains

Beyond the user login password, a user has to keep track of passwords for many other resources, such as Web sites, servers, and applications. When you connect to a server or Web site or open a keychain-aware application, the password used can be stored in the keychain. The next time you access those resources, the password is read from your keychain automatically.

The user's default keychain is automatically created at the same time the account is created. That keychain is named “login” and is stored in ~/Library/Keychains. By default, the login keychain is protected by the user's original login password. A system-wide keychain named “System” is also created by default and is shared by all users on the system. Since the keychain is not “tied” to the computer, it can be copied to other computers. For example, when a user upgrades to a new computer, he or she can copy the keychain from the old computer to the new one.

You can use Keychain Access (/Applications/Utilities) to create additional keychains for each user, based on types of resources or on particular locations. Users can also use Keychain Access to manage their keychains, including what passwords are stored in a keychain and what password is used to unlock the keychain. Keychain Access also includes Keychain First Aid (located under the Keychain Access menu), which can be used to verify and repair keychain settings and permissions.

You can change the password to unlock a keychain at any time, however, if you want your default keychain to be unlocked automatically when you log in, make sure your keychain password is the same as your Mac OS X login password. If an administrator changes a login password, the keychain password for that account does not get changed as well. As a result, the user can log in with the new password, but the keychain will not automatically open.

Synchronizing Login and Keychain Passwords

When users change their own login password using Accounts preferences, their keychain password is updated with the new password information if the keychain's existing password is the same as the user's existing login password. If a user's login password is changed by an administrator or by the Reset Password utility on the Mac OS X Install DVD, the user's keychain is still protected by the user's old password and needs to be synchronized with the new login password.

This exercise will guide you through resetting a user's keychain password, creating a keychain entry, then synchronizing the login and keychain passwords.

  1. Restart using the Mac OS X Install DVD.
  2. At the first screen, select “Use English as the main language” then press Return.
  3. Choose Utilities > Reset Password.
  4. In the Reset Password window, select the volume icon that represents your startup disk.

    The “Select a user of this volume” pop-up menu will change to list the user accounts on that volume.

  5. Choose Chris Johnson from the pop-up menu.

    New users do not yet have data in the keychain, so changing their passwords has few consequences.

  6. In both password fields, enter f00tba11 (f-zero-zero-t-b-a-one-one).
  7. Click Save.
  8. Click OK in the Password Saved dialog.

    You have changed Chris Johnson's login password. Because the new login password does not match the original login password also used for the keychain, Chris is at risk of losing his keychain data. If a user forgets his or her keychain password when his or her login and keychain passwords are out of sync, the keychain cannot be unlocked and might need to be recreated.

  9. Quit Reset Password.
  10. Quit Installer.
  11. Click Restart.
  12. Log in as Chris Johnson (password: f00tba11).
  13. Open Accounts preferences.
  14. Click Change Password.
  15. Enter the password you just reset: f00tba11
  16. Enter a new password: chris
  17. Quit System Preferences.

    Chris Johnson's keychain does not contain any data. We will now attempt to create an entry in the keychain.

  18. Launch Disk Utility (/Applications/Utilities).
  19. Choose File > New > New Blank Image.
  20. Choose AES-128 from the Encryption pop-up menu.
  21. Enter test as the file name.
  22. Click Create.
  23. In the Authenticate window, enter test in the Password and Verify fields, select the “Remember password (add to Keychain)” checkbox, and click OK.

    Disk Utility attempts to add this disk image's password information to your keychain. Because the keychain is locked, you must authenticate with the keychain password.

  24. When prompted for your keychain password, enter f00tba11 and click OK.

    Because the keychain is protected by the original “changeme” password, the request fails.

    At this point, Chris has no access to his keychain data. If Chris forgot his keychain password, he would not be able to access his keychain data even though his login password could be reset.

  25. In the Password field, enter changeme and click OK.

    Because you entered the password that protects the keychain, Disk Utility is able to create the encrypted disk image and save its password to the keychain.

  26. Unmount the test disk icon from the Finder desktop.
  27. Open Keychain Access (/Applications/Utilities).
  28. Click Show Keychains at the bottom left.
  29. Lock the keychain by clicking the lock icon above the list of keychains.
  30. Double-click the disk image entry.
  31. In the Attributes pane, select the “Show password” checkbox.

    Because the keychain is now locked, you are prompted for the keychain password.

  32. In the Password field, enter changeme and click OK.

    The keychain will unlock.

  33. In the Password field of the “Confirm Access to Keychain” dialog, enter changeme and click Always Allow.

    This grants the Keychain Access application the permission to retrieve the encrypted disk image password. Notice that the disk image password (test) is now visible.

  34. Close the test.dmg window.

    Because the keychain password is not the same as the login password, mounting the test disk image will always require Chris to enter the disk image password. Let's synchronize the keychain password with the login password so that the disk image is automatically opened when double-clicked.

  35. In Keychain Access, verify that the login keychain is unlocked.
  36. Choose Edit > Change Password for Keychain “login.”
  37. In the Change Keychain Password dialog, enter the following information:
    • Current Password: changeme

    • New Password: f00tba11

  38. Click OK to save the new password.

    Chris' keychain password is now synchronized with the login password. If Chris changes his login password again, the keychain password would also be changed because the login password and the keychain password are now the same.

  39. Quit Keychain Access.

Troubleshooting User Account Issues

Here are some basic user account troubleshooting topics and solutions:

  • If you are unable to log into a computer because the administrator login passwords are lost, boot from the Mac OS X Install DVD and choose Utilities > Reset Password. If you can log in using an administrator account, you can reset a user's password in Accounts preferences.
  • Whenever you have a problem with your computer, one troubleshooting technique is to log in with a different user account and see if the problem is reproducible. If the problem does not occur with the other user account, you can focus on the things that are user-specific, such as permissions and preferences.
  • If a user's login password is changed by an administrator or by the Reset Password utility on the Mac OS X Install DVD, the system does not change the old password stored in the keychain to the new one. To fix this problem, the user should use Keychain Access to change the keychain password to match the login password.
  • When using fast user switching to switch to another account, you might not be able to access certain resources. To determine if fast user switching is the cause, turn off fast user switching.
  • If you can't make changes to certain System Preferences such as Network, Sharing, and Energy Saver, or you cannot install applications in the Applications folder, it's because you are a standard user and not an administrator. As a standard user, you are limited to making configuration changes that affect only your account, such as what applications and files are opened when you log in and what picture is displayed as the background pattern. You cannot make changes to system-wide settings without first authenticating as an administrator.
  • You can get information such as Mac OS version, build number, serial number, date/time/time zone, and machine name by clicking the text field under Mac OS X in the login window.

Peachpit Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Peachpit and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Peachpit products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email ask@peachpit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.peachpit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020