Remove User Names from Login Window for Added Security in Mac OS X
The login screen of OS X defaults to showing the account pictures and user names of all accounts on the given Mac. This is undoubtedly convenient for most users as it makes logging into accounts much faster, but for situations where a Mac requires higher security, users may wish to hide user account names from the login window, thereby requiring a complete authentication of both a username and password.
The reason this is more secure is fairly simple: not only would an unscrupulous individual have to know or guess the password for a user account, but now they would also have to know or guess the username for the account too. By hiding the user accounts from the login screens, there are no hints offered as to what user accounts are on the Mac, and a proper username must be known in addition to the appropriate password, offering a layer of privacy and obscurity to help protect the Mac.
How to Hide User Names from Mac Login Windows
Requiring the full user authentication at any Mac login screen in OS X is easy, here’s how to enable this feature:
- Open System Preferences from the Apple menu and choose “Users & Groups”
- Click on “Login Options” in the lower left corner, then click the lock icon to authenticate with an admin user to be able to make adjustments
- If it hasn’t be done already, set “Automatic Login” to OFF*
- Set “Display login window as:” to ‘Name and password’
- Close out of System Preferences
You can now log out, reboot, or lock the Macs screen to test the change yourself. The login window will appear as usual, but there will no longer be a list of users and accounts shown, instead a basic prompt for a complete username and password is necessary to login to the Mac.
All user accounts on the Mac will continue to work as usual, including a guest account, but the proper username for each account must be entered properly. Note that full user names or short usernames work for this purpose.
Of course, this is no replacement for using a secure password and securing a Mac in general with things like FileVault and boot passwords, but it’s an added security trick that can help to add another level of security to Macs. This can be particularly important in public computers and work machines, though it would obviously still have security benefits for more typical portable and home situations too.
* You’ll need Automatic Login turned off for this to work, otherwise a Mac that has been rebooted, locked, or logged back in will simply boot into the desktop without prompting for a user login anyway.
This used to work for me, but I’m setting up a new Mojave MBP and even though I followed the instructions, I still get the user icons on log in screen after reboot. Any thoughts on if something has changed in Mojave?
This works fine for when I remember to log off, but what about when I forget to log out and the computer goes to sleep? I already have it set to require a log in whenever the computer goes to sleep, but when I come back and my username is displayed right there. Is there a way to hide the username when the computer sleeps without a log off?
HELP!
Ive done this, but what I thought my username was is not working so now I am locked out of my computer and Im going overseas in 12 hours!!! HELP!!!! Ive tried to access the terminal to send a command to show users but its not working!!!!
you can login as guest and go to Go>Go to folder and /Users, here you can see the folders of the users ( and the name)
Is there any way to have the system erase itself after ten consecutive wrong password attempts?
I like the way iOS does this and would like to do the same with my mac.
While iOS has that feature built in there is no way to do it with the current Mac OS.
However, you might want look at a free service from Meraki (now owned by Cisco) called the MDM (Mobile Device Manager). To use it you create a “dashboard” account then get a cert from apple then install the MDM on any device you like. Computers, Phones even pads of any make, you can then locate, lock or wipe them from anywhere. Just follow the instruction on the site.
It’s very cool and I use it on most of my clients machines because if their device is lost or stolen I can brick them with a single click! Even better on a computer I can send it command line, so just think of the stuff one can do with that…
If you want to check it out go to: https://meraki.cisco.com/products/systems-manager.
Paul:
Great article but there is one other caveat you did not mention.
To get the Name and Password fields to show up for login you must also turn off “FileVault”! For some reason, beginning with Mt. Lion when you turn on FileVault, Apple also decided to disable choice of “Display login window as” choice. No matter what you pick now you are stuck with the “List of…” choice.
Sad to say when FileVault is a way to keep your machines data secure!
Sorry Eric, but this simply isn’t true. I’m running Mt. Lion with FileVault enabled and this works for me. Check your machine for a bug.
Toby:
I don’t mean to question you but… You are saying when you REBOOT your machine and you have your System Pefs>Users & Groups>Login Options… > “Name and password” option selected you get the two fields? and your are sure you have FileVault turned on?!
I know it works if I just logout the machine but if I reboot I always get the “list”. I (and others) have been looking for a solution to this one for a long time so I am very surprised that you are getting it!
From this discussion it seems to have been determined that this is the way FileVault 2 was built to work. See
If you have it working (IMHO) the way it should work, I would love to look at your machine and it’s com.apple.loginwindow.xxxx files! Maybe it’s something you did that locked them into the proper style of login.
Thanks Toby
No. On reboot w/ FileVault, the authentication prompt loads prior to the OS. Upon logout and subsequent login, the name and login option will load like this hint describes. Sorry for any confusion.
Maybe adding a second Admin account will remove the autofill of a user name at boot? FileVault is nice for security (I travel for work) but adds a few annoyances too, so I guess it’s a trade.
RE: Maybe adding a second Admin account will remove the autofill of a user name at boot?
I WISH! :-)
When a user uses FileVault… upon reboot, the user will be presented with a list of users. :-(
Maybe with FileVault 3 they will fix this issue… but with Apple these days I wouldn’t hold my breath.
Thanks Toby