No way to slow down a person trying to break your account password into your Mac?

[Thor774]

Hello

On the iPhone after you make 6 failed attempts to log in the phone gets blocked by a minute. If you again input another fail password it gets blocked again during some time.

On the Mac an attacker can try 1000 times at the login screen and the machine always let him continue trying at the same speed without slowing him down. It would be wonderful if the Mac also blocked itself like iOS, making it harder for the intruder to try his thing.

Is there any way to achieve this?

 

[DeltaMac]

It's not unusual to look through the system logs and find listings that report a lot of failed login attempts - so what would a lockout do? (and how would you reset it?)

The iPhone does not have a user (username/password) login. It just asks for your passcode, so already a much less detailed login process.
The Mac, with OS X, has an account login window. The default login shows a list of users available to choose for login.
The simplest way to make the login process more difficult is to change the login settings so you have to type both the account name and the password.
I read that you can set up an account lockout for multiple failed login attempts, but that needs OS X Server, or some of the other network access tools installed.

 

[Thor774]

It's not unusual to look through the system logs and find listings that report a lot of failed login attempts - so what would a lockout do? (and how would you reset it?)

The iPhone does not have a user (username/password) login. It just asks for your passcode, so already a much less detailed login process.
The Mac, with OS X, has an account login window. The default login shows a list of users available to choose for login.
The simplest way to make the login process more difficult is to change the login settings so you have to type both the account name and the password.
I read that you can set up an account lockout for multiple failed login attempts, but that needs OS X Server, or some of the other network access tools installed.

More than a lockout I am thinking more in a slowdown like iOS does. After let's say 6 failed attempts simply put a time restriction for the login process like iOS has, at least this way it is going to take much longer for someone trying to guess your password. A "wipe your drive after 10 failed login attempts" like in iOS would also be a fantastic tool. This can be easily done wiping the cryptographc keys on the hard drive making the data unrecoverable.

 

[DeltaMac]

And, where would you slow down a failed login?
At the local keyboard?
A local (network) login?
Remote login, not on your network
Other kinds of account logins?

The point that I was trying to make, is that there are a lot of complications on an OS X login that are not part of a 'phone login.
Easier to simply make some logins more difficult, or impossible (turning off file sharing, turning off remote login, other simple system settings that can lock down access from outside, or make it extraordinarily difficult by limiting your usual user account to a standard (not admin) account. Following normal internet security suggestions would also be a good thing (Firewall on, max settings, etc.) Use FileVault to add that additional layer of security, so someone at your computer can't get past that part of the login process. If FileVault is locked, then your data is not retrievable.
Finally, you have to learn to be practical about this - you can make your Mac so secure that it will even challenge you, the owner, when you try to legitimately use your Mac.

 

[Thor774]

And, where would you slow down a failed login?

I am speaking here about the main login screen you get when the computer is locked or when starting up OSX.

there are a lot of complications on an OS X login that are not part of a 'phone login.

This is only an excuse. Why can Windows do it without any problems? I don't see how introducing delays at the login screen if the password has been written incorrectly 5 or 6 times in a row be that problematic. I am not speaking about disabling an account, just discouraging an intruder that get physical access to the machine. And please don't bring the "you should enforce physical security measures if you are worried about this" argument, the point here is that this is been done by other OSs so why can't OSX have something like this in place?

I use Filevault and also encrypt my Time Machine backups, but as my MBP does not have a Touch ID sensor my login password is not a complex 20 character long passphrase, it is ok for a machine that rarely leaves the house tough, but a small security measure like this cannot hurt.

I have sent feedback to Apple about this because I think it can be useful.

 

[hojx]

I am speaking here about the main login screen you get when the computer is locked or when starting up OSX.


This is only an excuse. Why can Windows do it without any problems? I don't see how introducing delays at the login screen if the password has been written incorrectly 5 or 6 times in a row be that problematic. I am not speaking about disabling an account, just discouraging an intruder that get physical access to the machine. And please don't bring the "you should enforce physical security measures if you are worried about this" argument, the point here is that this is been done by other OSs so why can't OSX have something like this in place?

I use Filevault and also encrypt my Time Machine backups, but as my MBP does not have a Touch ID sensor my login password is not a complex 20 character long passphrase, it is ok for a machine that rarely leaves the house tough, but a small security measure like this cannot hurt.

I have sent feedback to Apple about this because I think it can be useful.

I suppose this has to do:


1. there are many more combinations to an alphanumeric OS X password than that of the four-digit iOS password

The traditional (pre-iOS9) iPhone password is only from 0000 to 9999, just 10000 combinations. There is considerable chance getting it right from knowing the person (e.g. birthdate) or pure guessing.

Under OS X, your password can be anything from 1 to #fdn9f3^@5Rqf2n$9*h-32r0j34r23! and more. That's virtually an infinite number of combinations possible.


2. the Mac is a larger physical object than the iPhone; timed delay does not discourage intentional break-ins

Due to the fact that the iPhone is a way smaller object than the Mac, it is highly possible for your friends or others to discreetly swipe your phone away to send an embarassing tweet, etc. A timed delay buffers enough time for you to find out and deter your friends who are not actually stealing your phone.

If someone were to actually steal your iPhone, the timed delay is not really going to deter anyone. If I had the time to waste, I could just have the phone in my room and try a few combinations a day until I eventually unlock successfully.



When an actual theft actually occurs, Find My iPhone/Mac would be a way better method to respond. You can lock the device, set off an alarm, or remote erase the device.

 

[DeltaMac]

I can't explain why Windows does some of things it does... Not my job

Note that iOS 9 has new options for the passcode - 6 numbers, rather than 4, and those 6 can be alphanumeric, not just numbers.

IMHO, putting delays in the login process would not affect a break in at all - a lockout (that requires an actual unlock, not just wait it out) would be much more effective. Physical access would beat most security features, given enough time.
If you want a laptop secure - lock it up when not in use...
If you want to protect a desktop, and physical security is not a good option (like a locked cabinet or desk), then take the keyboard when you leave. That will definitely slow someone down.

And, there are solutions if that level of security is required for the data that you use, or the job that you have. It's just not a part of the basic OS X system. Will you have an option for that in the future? Judging by the kind of news that I read each day, I suspect you will will see an option like that sooner, not later.