There are now two ways to crack a Mac login password that are in the wild, and before any of the usual suspects start to crow about how Macs are now as totally insecure as Windows has always been, I thought a quick note was in order. So, a few observations:
- Yes, these are serious attacks.
- However, both require physical access to your Mac. If you can prevent anyone from laying hands on your keyboard, you’re in no greater danger.
- Physical access to your Mac has always been a security hole. Anyone with a Mac system restore DVD can use it to change your passwords without knowing your existing password.
- Therefore, this makes not one iota of difference to your data security in the event of laptop or desktop theft. Savvy thieves or fences can get your data, and the DVD trick is far easier than the RAM extraction methods.
- You can thwart thieves in the event of theft by using FileVault. If you don’t want to use FileVault, you can create secure disk images using Disk Utility and store secure data there. (This is what I do.)
- The RAM extraction method listed above will thwart FileVault, however. If this is a concern, use Disk Utility images and a different password for encrypting them.
- There is a foolproof method that stops both of the above: shut down your computer, and leave it off for a few minutes before surrendering it to other people. Or before having it stolen, if you have such foresight. You can do this whenever you move your laptop if you want to be paranoid, or just before you encounter people you have no reason to trust, such as a TSA checkpoint.
I’m in agreement that Apple should fix the new loginwindow.app issue asap, although I don’t see physical-access attacks to be nearly the concern that network attacks are.
1) Agreed.
2) What about virtual machines? Isn’t there legitimate software that allows me to control one Mac from another Mac on the network? If so, isn’t my machine compromised just by running this software?
3) Ditto above.
4) That’s just crazy talk. A second security flaw “makes not one iota of difference to your security” because of the presence of the first one? So are you saying that if I leave my front door unlocked, I might as well open all the windows and unlock the safe?
5) I know you’re not suggesting that security flaws are OK if there are two ways to patch them.
6) Scratch that, one way…
7) Works well in an office environment: “Jeff, can you join us in this meeting?” “Sure, just let me power down my Mac and I’ll be right there…”
Don’t worry, I’m well aware that Windows has more security flaws than OS X. I still maintain, as I have in the past, that the number of security flaws we’ll see in the Mac will increase proportionately (or since they’re the second ones in this particular pond, perhaps exponentially?) as their market share increases.