Mac OS - Impact of hack to non-administrator account

[mac_in_tosh]

I recently went to more complex account passwords on my Mac but my spouse has balked at this and also doesn't like using touch ID. She mainly does email, web browsing and social media. I read up on guest accounts but as all information is deleted upon exit that would not be appropriate. I'm wondering if I go back to the simpler password just for her account what would be the impact of a hack to her account?

If someone were to get into her account, what damage could they do or what information could they obtain from other accounts not knowing the admin password? Could software be installed without the admin password? Thanks.

 

[KaliYoni]

My Mac is setup as follows:

• My daily user account: Managed
• My partner's user account: Managed
• User account used only when troubleshooting: Admin
• Guest user: disabled

This configuration is more secure than constantly using the computer with Admin privileges always enabled.

To fine tune what your spouse's user account can access, you can use Parental Controls. This may be the most effective way for you to limit or contain a successful attack on your spouse's user account. Your overall risk, of course, depends on what data is stored on your computer and if you use your computer for sensitive activities (e.g. financial services, work, medical).

If your Mac is a desktop that is kept at home, you probably don't have to worry much about a relatively weak macOS user account password giving somebody physical access to your computer. However, you still need to be careful about securing all your online accounts, opening email attachments, ignoring phishing attempts, and not responding to social engineering attacks.

If, on the other hand, you use a laptop that is frequently carried around or taken on trips, you should insist on complex passwords and TouchID. And make sure FileVault is turned on.

 

[chabig]

If someone were to get into her account, what damage could they do or what information could they obtain from other accounts not knowing the admin password? Could software be installed without the admin password? Thanks.

If that were to happen, they could only make changes that would affect her account. They could make no change that would affect the computer or any other accounts.

 

[mac_in_tosh]

Your overall risk, of course, depends on what data is stored on your computer and if you use your computer for sensitive activities (e.g. financial services, work, medical).

I do use it for sensitive activities but not in her account.

 

[KALLT]

Note that if you use FileVault (i.e. disk encryption) then any user account has (by default) permission to unlock the drive. If the password is compromised or too easy to guess, then you are jeopardising your own data too.

 

[chabig]

Note that if you use FileVault (i.e. disk encryption) then any user account has (by default) permission to unlock the drive. If the password is compromised or too easy to guess, then you are jeopardising your own data too.

I disagree. The macOS security/permissioning system protects the integrity of individual accounts. User accounts cannot access other users' data.

 

[iHorseHead]

I recently went to more complex account passwords on my Mac but my spouse has balked at this and also doesn't like using touch ID. She mainly does email, web browsing and social media. I read up on guest accounts but as all information is deleted upon exit that would not be appropriate. I'm wondering if I go back to the simpler password just for her account what would be the impact of a hack to her account?

If someone were to get into her account, what damage could they do or what information could they obtain from other accounts not knowing the admin password? Could software be installed without the admin password? Thanks.

Let me tell you something. Passwords do not matter if you don't have FileVault on.
https://www.hellotech.com/guide/for/how-to-reset-admin-password-on-mac
https://apple.stackexchange.com/que...to-a-mac-without-knowing-the-current-password
You also need admin password only if you want to really install an app via installer or drag into applications folder. If you drag the app somewhere else, the app can still run and works just fine (really weird).

Another solution would be buying her an Apple Watch, I guess? I mean Christmas is around the corner…

 

[mac_in_tosh]

Let me tell you something. Passwords do not matter if you don't have FileVault on.
https://www.hellotech.com/guide/for/how-to-reset-admin-password-on-mac
https://apple.stackexchange.com/que...to-a-mac-without-knowing-the-current-password

The linked articles are very disappointing if I am understanding them correctly. They imply that anyone who has your Mac can get into it without knowing your password. This would seem to be a major security failure on Apple's part.

So if FileVault is on neither of those methods would work?

 

[iHorseHead]

The linked articles are very disappointing if I am understanding them correctly. They imply that anyone who has your Mac can get into it without knowing your password. This would seem to be a major security failure on Apple's part.

So if FileVault is on neither of those methods would work?

Yes, you need to turn on FileVault on and if you use a PC you'd need to set a BIOS password, because you can do the same on Windows and Ubuntu (and probably on other Linux distros). I don't think it's really a security flaw.

The bad thing is if you forget your FileVault password then you're pretty much done. If you want to protect your Mac from thieves then yes, you'd need to turn on FileVault.

Another way a person could 'hack' your Mac is by turning your Mac or, holding down the option key (alt) and then reset your password on the installer. (Recovery partition)

There's no way to stay 100% secure, but you can always make it more difficult for thieves and hackers.

 

[chabig]

The linked articles are very disappointing if I am understanding them correctly. They imply that anyone who has your Mac can get into it without knowing your password. This would seem to be a major security failure on Apple's part.

None of those measures work if FileVault is enabled.

 

[KALLT]

They imply that anyone who has your Mac can get into it without knowing your password. This would seem to be a major security failure on Apple's part.

This is how computers work and is not specific to Macs. Users (accounts) only matter within the system they are used, i.e. when the system is running. Data that is stored unencrypted on a drive can be read, e.g. if accessed by another computer. This is somewhat nuanced due to T2/Apple silicon Macs, as these are encrypted already, but it does not absolve you from enabling FileVault.

If the data on the drive is valuable to you then you should enable FileVault. Enabling it will give you a recovery key that you can give to Apple or you store yourself. Account passwords are then used to unlock the encrypted drive, which is why it is important that the user passwords ought to be strong too (see my post above).

 

[mac_in_tosh]

This is how computers work and is not specific to Macs. Users (accounts) only matter within the system they are used, i.e. when the system is running. Data that is stored unencrypted on a drive can be read, e.g. if accessed by another computer. This is somewhat nuanced due to T2/Apple silicon Macs, as these are encrypted already, but it does not absolve you from enabling FileVault.

If the data on the drive is valuable to you then you should enable FileVault. Enabling it will give you a recovery key that you can give to Apple or you store yourself. Account passwords are then used to unlock the encrypted drive, which is why it is important that the user passwords ought to be strong too (see my post above).

Two questions please:

1. What is the difference between the already T2-encrypted drive and encrypting with FileVault?

2. Is the FileVault recovery key just used if you forget your password, otherwise your usual password is used in the usual manner?

 

[KALLT]

Two questions please:

1. What is the difference between the already T2-encrypted drive and encrypting with FileVault?

2. Is the FileVault recovery key just used if you forget your password, otherwise your usual password is used in the usual manner?

1) The difference is that the T2/Apple silicon chip has an encryption module that holds the encryption key. This makes it impossible to decrypt the drive without the chip, such as by mounting it using external hardware or removing it from the mainboard. FileVault adds another layer with passphrases (i.e. the user passwords and the recovery key), requiring both the chip and a passphrase to unlock the drive.

2) Yes. It is essentially a backup key that you can use to decrypt the drive if you forgot your user password.

 

[mac_in_tosh]

I currently do not use FileVault but my Time Machine backup external drive is encrypted and requires a password. If I turn FileVault on and continue to use this TM drive does it then have an encryption of an encryption? Or should I start over with a fresh TM backup after turning FileVault on?

 

[chabig]

I currently do not use FileVault but my Time Machine backup external drive is encrypted and requires a password. If I turn FileVault on and continue to use this TM drive does it then have an encryption of an encryption? Or should I start over with a fresh TM backup after turning FileVault on?

Just leave it as is. You will not have nested encryption.

 

[mac_in_tosh]

As a followup - I enabled FileVault on my 2019 MBPro and have two questions:

1. There wasn't any progress bar or delay shown. It seemed to do it almost instantly and the system preference then showed the option to turn it off. Does that seem right?

2. After rebooting, going to each of the accounts requires password entry. There is no option for TouchID even though in the TouchID system pref Unlocking Your Mac and Fast User Switching are checked.

EDIT: Ok, now it is allowing TouchID. Maybe the first time an account is entered it requires the password?
Also, maybe the reason for no delay is that the disk is already encrypted by the T2 chip. Please confirm.

 

[chabig]

You’ve got it right.

1. Your SSD was already encrypted by the T2. FileVault just associated your login password with the decryption key. So yes, it is immediate, unlike older Intel Macs.

2. The password is always required to log in, because that proves your identity to the machine. TouchID is a convenience not an authentication. It will unlock the machine after the account is logged in. This makes it practical to have more complicated passwords/pass phrases.

 

[mac_in_tosh]

This has been very helpful and I have (hopefully) one last question about passwords. We know hackers can try a large number of passwords per second but such brute force attacks are defended on some systems by locking out entries after a certain number of attempts or by increasing the time between attempts. Does Mac OS do either of these or have some other way of defending against a large number of password attempts?

 

[solouki]

Hi,

Personally, I agree with what has been listed in previous posts: I use a standard account for my network activities, and an administrator account only when required for administrator activities. I use a relatively long passphrase for my user accounts (yielding just 1 out of 10^{82.7} possibilities , roughly the number of protons and electrons in the observable universe -- and thus unlikely to be hacked by brute force attacks), and then once logged in, I employ TouchID so I don't have to retype my longish passphrase repeatedly. I also periodically vary my passphrase.

Any really sensitive information, such as certain projects, financial, medical, insurances, taxes, properties, etc., I store in a private directory that is encrypted with a 4096-bit RSA public/secret key pair (secret key secured by another long passphrase). My encryption/decryption process is performed by a single commandline bash script that disconnects from the network, stops sleep mode, stops RAM swapping to disk, stops WiFi, etc. before performing any decryptions, edits, re-encryptions, and then overwrites RAM with random bits afterwards (7 years ago the Heartbleed security hole caused me to do this) and cleans up any decrypted files before reconnecting to the network. The encrypted information is readily and quickly available whenever I need it, and on any machine under both macOS and Linux.

Good luck,
Solouki

 

[KALLT]

We know hackers can try a large number of passwords per second but such brute force attacks are defended on some systems by locking out entries after a certain number of attempts or by increasing the time between attempts. Does Mac OS do either of these or have some other way of defending against a large number of password attempts?

Macs with a T2/Apple silicon chip do, other Macs don’t.

 

[mac_in_tosh]

Macs with a T2/Apple silicon chip do, other Macs don’t.

What do they do?

 

[KALLT]

What do they do?

They don’t have any technical measures that limit brute-forcing attempts or dictionary attacks.

Brute-forcing a FileVault-encrypted drive is fruitless anyway. Dictionary attacks are possible, so you should still use strong passwords for every FileVault user. You should still do this even on a T2/Apple silicon Mac.

 

[NoBoMac]

Brute-forcing a FileVault-encrypted drive is fruitless anyway. Dictionary attacks are possible, so you should still use strong passwords for every FileVault user. You should still do this even on a T2/Apple silicon Mac.

This, particularly the "fruitless" part. And strong passwords.

If OP wants to get deep in the weeds, give a read of Apple's security white paper.

TLDR: with a T2, all brute force work would need to be done on the Mac that the drive is in, and after 5 attempts, delay becomes a minute and grows from there (1 hour after 9 attempts). Similar to an iPhone. And all random encryption keys are encrypted with different random encryption keys which are encrypted with unique T2 ID meshed with password and kept in the T2. So unless dealing with 3-letter organizations taking the Mac, data is safe.

 

[mac_in_tosh]

This, particularly the "fruitless" part. And strong passwords.

Pardon my confusion, but I thought strong passwords are meant to defend against brute force attacks (doesn't that include dictionary attacks?) yet the referenced paper states that successive attempts are delayed such that trying a significant number of passwords is impractical. Of course one should not choose a very simple password, such as "password," "passw0rd," one's name, etc. But is something like

##k23987fdas;lkj39087udf#$DFSAF32XX5-+(duz

then really necessary?

 

[KALLT]

Pardon my confusion, but I thought strong passwords are meant to defend against brute force attacks (doesn't that include dictionary attacks?) yet the referenced paper states that successive attempts are delayed such that trying a significant number of passwords is impractical. Of course one should not choose a very simple password, such as "password," "passw0rd," one's name, etc. But is something like

##k23987fdas;lkj39087udf#$DFSAF32XX5-+(duz

then really necessary?

Brute-force and dictionary attacks aren’t the same, but they are similar in execution. Both depend on a large number of password attempts. The chip makes that impossible, but it is prudent to not rely on that alone in case vulnerabilities are found in the chip’s firmware that circumvent such protections.

You won’t need a password like that, you can include words to make it memorable and easy to type (e.g. Diceware). The important things are that the password is not short (12 characters or more is nowadays recommended) and should preferably contain a few uppercase characters, numbers and/or special characters.