It’s impossible to completely protect any device from an attacker with physical access. But, unless you set up your Mac properly, it just takes a reboot and a few seconds to bypass your password — or wipe your hard drive.
For all the talk about security vulnerabilities, the ability for anyone to quickly change a Mac’s password is rarely thought about. It’s yet another good reason to use FileVault encryption and perhaps set a firmware password.
It’s All About Recovery Mode
The key to this process is Recovery Mode — a special environment anyone can access on your Mac if they reboot it and hold Command+R as it boots up. Recovery Mode doesn’t normally require a password to access, even though you’d need to enter your password when booting your Mac normally.
Traditionally, it’s been possible to boot into recovery mode and select Utilities > Password Reset from the menu, which you could use to reset a password if you’ve forgotten it. This option was removed back in OS X Lion, but you can still access the same password-reset utility in recovery mode by selecting Utilities > Terminal, typing resetpassword into the terminal window, and pressing Enter. This would allow anyone with access to your Mac the ability to change your password and access your user account, although FileVault encryption can protect against it.
These same tools are available by booting from OS X installation media — a DVD or USB drive — on a Mac.
Even if your Mac is securely encrypted, anyone with access to it — for example, a thief who stole your MacBook — could enter recovery mode and use the “Reinstall OS X” option to wipe your entire hard drive. This at least protects your personal files from a thief — they’ll just have to start over from scratch. However, it means a thief can quickly wipe your Mac and start using it.
There are ways to reset your password on Windows, of course. But Windows doesn’t make this as easy as a Mac does — these tools aren’t all just a quick keypress away while you boot your Windows PC.
Enable FileVault Encryption to Protect Your Files
If you’re using a Mac, you should ensure FileVault encryption is enabled. FileVault encryption is now enabled by default on OS X Yosemite — assuming you accepted the default option while setting up your Mac, you should be safe. If you opted out of the encryption or you’re using a previous version of Mac OS X, you should enable FileVault encryption now.
Modern versions of FileVault encryption provides whole-disk encryption of your Mac. This means it’s not possible for an attacker to use the resetpassword utility from recovery mode. If you try using this tool after enabling FileVault, you’ll discover you can’t. The utility won’t function, as it just can’t see the Mac system drive or any users on it. Your files are encrypted until you type your password, so there’s no resetting it.
FileVault encryption also protects your files if people try to boot another operating system on your Mac or remove its system drive and read it in another computer. it’s an essential security feature. If you’re not sure whether FileVault is enabled, you can open System Preferences, click Security & Privacy, and click FileVault — or just press Command+Space to open Spotlight search, type FileVault, and press Enter to access it.
If you forget your password on a modern Mac, you can recover it and access your files by providing the recovery key you’re given when setting up FileVault. If you chose to share it with Apple during the FileVault setup process, they can help you regain access to your files.
Enable a Firmware Password to Lock Down Your Mac’s Hardware
Even with FileVault enabled, someone with access to your Mac could still wipe it from recovery mode and set it up as a new system. A firmware password can protect against this.
This will also help if you don’t want to use FileVault encryption for some reason, but do want to prevent people from changing your password and accessing your files. A firmware password also prevents people from booting your Mac from other devices — like USB drives or external hard drives — and accessing your files if they’re not encrypted. Someone could still rip the hard drive out of your Mac and access its files on another device if you just use a firmware password without encryption, however.
If you set a firmware password, you’ll need to enter it before booting into recovery mode or holding the Option key to boot from a different device. Just powering on your Mac normally without doing anything special won’t require the password, so it isn’t too much additional hassle.
No one except Apple themselves can reset a forgotten firmware password — in theory, at least. That’s why this is such a useful method of protection, but it’s also why a firmware password could potentially be a problem. If you do set a firmware password, be extra careful to remember it. You’ll have to visit the nearest Apple Store if you forget it.
If you use Find My Mac to remotely lock your lost Mac, this will set a firmware password on your Mac to prevent a thief from using it. But you can set that firmware password ahead of time. Just boot into recovery mode and select Utilities > Firmware Password to set up a password. (Windows and Linux PCs usually offer a UEFI or BIOS password option, too.)
No, this isn’t cause for panic, but it is a concern. Particularly before Mac OS X Yosemite started enabling FileVault encryption by default, you could grab any Mac, boot it into recovery mode with a quick key combination, and reset the password to bypass it and access that user’s files and data. Any Mac running a previous version of OS X will still be vulnerable unless their owners have gone out of their way to enable FileVault encryption.
Image Credit: Michael Gorzka on Flickr