Preventing Manual Password Resets on a Mac by Using FileVault Security
Nearly all Mac users have a login and password required to access the Mac upon boot (and if you don’t, you should!), which provides a reasonable layer of password protection to keep out most prying eyes. Users with more advanced security needs may need to go further to protect their Mac from unauthorized access though, and because there are ways of resetting a Mac administrator password by using a variety of tricks, the simpler user login protections are not necessarily adequate for every user in higher security situations and at-risk environments.
Ultimately, this becomes a matter of preventing the standard and advanced password reset options for Mac OS X that are achievable through Single User Mode and by using boot disks. There are a variety of ways to accomplish this, but perhaps the most simple method to prevent even more advanced login bypass attempts is to enable full disk encryption, known as FileVault, which not only encrypts all data on the disk, but also places a mandatory login earlier in the boot stages of OS X. The resulting early login requirements prevents unauthorized access to the Mac through single user mode and external boot volumes, which can help to avoid even the more advanced tricks of bypassing user and admin logins or resetting passwords through the command line.
To greatly simplify things, a simple before and after comparison shows the stages of boot, with the before representing the theoretical bypass methods that can be used by knowledgeable individuals to gain access to machines with simple password protection, and the after with the Filevault login effectively forming a login blockade earlier in the boot process, which negates most bypass attempts:
- Before: Boot > Single User Mode > Advanced Password Bypass > Login with full access
- After: Boot > FileVault Security Login required for full access
FileVault is extremely easy to setup for just about anyone and can be done quickly in the “Security” preference panel of OS X. We have covered FileVault encryption thoroughly before, and for the unfamiliar it’s an advanced security feature that offers incredible protection for data on Macs by encrypting the entire disk. Just be sure to understand the risks and limitations associated with using full disk encryption – the speed readers version is basically this; if you forget the FileVault password and you lose the recovery key, your data is permanently locked up and inaccessible by just about everyone. Thus, it may not be practical for every Mac user out there, but for those users with stricter security requirements, it can be highly recommended to use Filevault alongside a good habit of regularly using a locked screen to help prevent unauthorized access.
For performance reasons, FileVault protection is best used on an SSD flash storage drive, but it does work on regular hard drives as well, though some users may notice an occasional slight performance degradation.
Thanks to Pavol for the tip idea and question! Got a question, comment, or tip idea? Let us know!
As Isidore said, there’s no mention of firmware password, which might actually be a better idea as filevault has a tendency to slow things down due to needing to encrypt everything upon startup and shutdown. Furthermore, if someone steals a computer that has filevault protection, it’s rather easy to reformat their drive and start using the computer like normal, this is near impossible unless you replace the logic board on a computer with a firmware password.
Not to mention if you lose or forget your filevault password… goodbye data.
If you forget your firmware password goodbye computer & data.
You can regain access if you forget the firmware password, but you need proof of purchase (like the original receipt) and a trip to the Apple store.
mistyped my email address….
You do not discuss the use of an open firmware password which also prevents exploits like booting from an external drive etc. How does this compare from a security point to filevault?