Lock it up!

Joe Kisell
11 December, 2007
View more articles fromthe author

I will keep my Mac safe from other users.

In a shared workspace, anyone can access your computer when you’re not looking — so try to prevent others from getting at your private data.

Use admin accounts for administration only.
When you initially set up your Mac, OS X creates a single user account for you. That account includes administrative rights, which give you the authority to install, change, or delete anything on the computer.

Using that administrator account as your normal, day-to-day login account can be risky. First, you make it easier to change or delete something crucial to your computer’s operation mistakenly. Second, you open a potential security hole: if you step away from your computer without logging out, someone else will have complete access to your Mac’s data and settings.

The safest course is to set up a second user account, without administrative privileges, and use that as your main day-to-day account. When you need to install software or perform some other administrative tasks, you can still log in to the administrator account.

To set up a new non-administrator account, open the Accounts pane of System Preferences. If the lock icon in the bottom left corner is closed, click on it and enter your administrator password. Then click on the plus (+) icon to create a new account. You can use the same first and last name as in your existing account, but you must choose a different Short Name. Enter and verify a password, but do not select Allow User To Administer This Computer. Then click on Create Account. If you want to transfer any data (such as preferences files or e-mail messages) from your current account to the new one, drag the items from their current location in your Home folder to the corresponding location in the new account’s Home folder.

Now, choose Log Out user name from the Apple menu and log back in as the new, non-administrative user. From now on, use your standard account except when you have a specific reason not to.

Don’t share user accounts. If more than one person uses your computer, make sure each user has a separate account. Doing so keeps mail, documents, keychains, browser history, and other personal data safe from casual snooping.

To add an account on your Mac, open the Accounts pane in System Preferences. If the lock icon at the bottom of the pane is closed, click on it. When the Authenticate dialog box appears, enter your administrator password. Then click on the plus (+) button right above the lock, enter long and short user names and a password for the new user, and click on Create Account. Do not select the Allow User To Administer This Computer option.

Once your accounts are set up, be sure to use them. Whenever you finish working on your computer, choose Log Out user name from the Apple menu. The computer will then display the login screen, where the next user can enter a user name and password to log in.

Turn on password prompts.
By default, OS X logs you in when you turn on your computer. Forcing your Mac to ask for a password on such occasions can increase your security.

First, open the Accounts pane in System Preferences and, if necessary, click on the lock icon at the bottom of the window and authenticate with your administrator password. Then click on Login Options and deselect the Automatically Log In As option.

Next, go to the Security preference pane and make sure Require Password To Wake This Computer From Sleep Or Screen Saver is enabled. In that same window, select all four of the check boxes at the bottom: Disable Automatic Login ensures that all users have Automatically Log In disabled; Require Password To Unlock Each Secure System Preference prevents changes to system-wide settings without an administrator password; Log Out After XX Minutes Of Inactivity logs you out (closing any encrypted disk images in the process) if you step away for an extended period of time (I suggest entering a small interval, such as 10 or 15 minutes); and Use Secure Virtual Memory encrypts portions of your RAM as they’re swapped out to your hard disk.

For even greater security, consider using Griffin Technologies’ SecuriKey (see “Hotlinks”). Once you’ve set up the software for this USB device, you must have the key physically plugged into your computer, and enter a password, to access your files.

Encrypt sensitive files. If your computer were stolen, the thief would be able to read any of your files. Requiring a password to log in wouldn’t keep your data safe, because someone could use an OS X Install disc to reset your password, or remove your hard drive and view the files on another computer. Encrypting your most sensitive files is the best solution.

FileVault, introduced in OS X 10.3 (Panther), can do this, but encrypting all your data in this way can be dangerous; even a minor disk error could leave you unable to access any of your files. A better way is to create an encrypted disk image.

In Disk Utility, create a new disk image (File: New: Blank Disk Image). Then, under Encryption, choose AES-128. From the Format pop-up menu, choose Sparse Disk Image and specify a name and location. When the Authenticate dialog box appears, choose a password; clicking on the key button next to the Password text box will summon Apple’s Password Assistant, which can help you generate a secure one. You can also create an encrypted disk image with a third-party product such as PGP Desktop Home (see “Hotlinks”).

Once you’ve created an encrypted disk image, you can use it to store any files containing private data. Just remember that as long as the disk image is mounted, your files are vulnerable. So be sure to log out (or at least unmount the disk image) whenever you step away from your computer.

Attach a security cable.
Every Mac has a small slot (marked by a lock icon) designed to accommodate security cables. You can wrap the cable around an immovable object or attach it to a desk with a mounting bracket to prevent someone from walking off with your computer (or opening its case — say, to remove your hard drive).

Although security cables are great for when you’re out on the town, they provide little deterrence against theft when your computer is at home and you’re away. So be sure to keep your laptop out of sight when it’s not in use.

If you’re really serious, you can buy a laptop locker (such as those sold by Datum Filing — see “Hot links”); it bolts to your desk or other office furniture and offers a stronger lock than a typical office cabinet does.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us