Preventing Manual Password Resets on a Mac by Using FileVault Security

Jan 3, 2014 - 5 Comments

Secured Mac

Nearly all Mac users have a login and password required to access the Mac upon boot (and if you don’t, you should!), which provides a reasonable layer of password protection to keep out most prying eyes. Users with more advanced security needs may need to go further to protect their Mac from unauthorized access though, and because there are ways of resetting a Mac administrator password by using a variety of tricks, the simpler user login protections are not necessarily adequate for every user in higher security situations and at-risk environments.

Ultimately, this becomes a matter of preventing the standard and advanced password reset options for Mac OS X that are achievable through Single User Mode and by using boot disks. There are a variety of ways to accomplish this, but perhaps the most simple method to prevent even more advanced login bypass attempts is to enable full disk encryption, known as FileVault, which not only encrypts all data on the disk, but also places a mandatory login earlier in the boot stages of OS X. The resulting early login requirements prevents unauthorized access to the Mac through single user mode and external boot volumes, which can help to avoid even the more advanced tricks of bypassing user and admin logins or resetting passwords through the command line.

To greatly simplify things, a simple before and after comparison shows the stages of boot, with the before representing the theoretical bypass methods that can be used by knowledgeable individuals to gain access to machines with simple password protection, and the after with the Filevault login effectively forming a login blockade earlier in the boot process, which negates most bypass attempts:

  • Before: Boot > Single User Mode > Advanced Password Bypass > Login with full access
  • After: Boot > FileVault Security Login required for full access

FileVault is extremely easy to setup for just about anyone and can be done quickly in the “Security” preference panel of OS X. We have covered FileVault encryption thoroughly before, and for the unfamiliar it’s an advanced security feature that offers incredible protection for data on Macs by encrypting the entire disk. Just be sure to understand the risks and limitations associated with using full disk encryption – the speed readers version is basically this; if you forget the FileVault password and you lose the recovery key, your data is permanently locked up and inaccessible by just about everyone. Thus, it may not be practical for every Mac user out there, but for those users with stricter security requirements, it can be highly recommended to use Filevault alongside a good habit of regularly using a locked screen to help prevent unauthorized access.

For performance reasons, FileVault protection is best used on an SSD flash storage drive, but it does work on regular hard drives as well, though some users may notice an occasional slight performance degradation.

Thanks to Pavol for the tip idea and question! Got a question, comment, or tip idea? Let us know!

.

Related articles:

Posted by: Paul Horowitz in Mac OS, Tips & Tricks

5 Comments

» Comments RSS Feed

  1. AJ says:

    As Isidore said, there’s no mention of firmware password, which might actually be a better idea as filevault has a tendency to slow things down due to needing to encrypt everything upon startup and shutdown. Furthermore, if someone steals a computer that has filevault protection, it’s rather easy to reformat their drive and start using the computer like normal, this is near impossible unless you replace the logic board on a computer with a firmware password.

    Not to mention if you lose or forget your filevault password… goodbye data.

    • Vgycft says:

      If you forget your firmware password goodbye computer & data.

      • iynque says:

        You can regain access if you forget the firmware password, but you need proof of purchase (like the original receipt) and a trip to the Apple store.

  2. Isidore says:

    mistyped my email address….

  3. Isidore says:

    You do not discuss the use of an open firmware password which also prevents exploits like booting from an external drive etc. How does this compare from a security point to filevault?

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site