Re: Is OS X login password good enough?

MM wrote:
I was wondering if OS X login password would be considered a good enough protection of one's personal information for the case where one's laptop gets stolen by an average thief?

No, it is not considered Good Enough security. Don't put anything on your computer you consider sensitive or protect the sensitive stuff somehow.

You can have an encrypted disk image that you put sensitive stuff in (making sure to not store the password for it [or any password, actually] in your local keychain), or use FileVault (which is pretty much an encrypted disk image for your entire home directory.

Good enough security for a road-warrior who wants to take reasonable steps to protect their laptop contents from thieves, and snooping border guards:

- Create a non-admin account that can can do very little but open the Finder, use the web and play some games. Make them an obvious "first name" login to demonstrate the machine boots, and can play games. Nothing bores a border guard more than waking your laptop from sleep to show "Alice" logged in and playing mine-sweeper, with a web browser open in the background, showing a recipe for roast lamb. Well, it might make the guard hungry, as well.

You can make this the auto login account if you like, just to allay suspicion. Some border crossings will compel you to open up your computer and "prove" you don't have porn or other evil material on your computer, so keep this account squeaky clean and "normal" looking. For example, both the US and Canada use this lame way to force people into behaving "hinky" at border crossings.

- In security prefs, make sure you encrypt virtual memory. [For fun, try running "strings" on the VM files, grepping for your password. Yow!]

- Setup and use FileVault for any actual logins. Do not have any of these accounts login automatically on boot (I'm not sure if OS X allows you to do this or not).

- Do not use the Shared account for anything sensitive.

- If you have "naughty" applications, make sure you place them in ~/bin or ~/Applications. Some countries think that Wi-Fi sniffers, and other greyhat hacker tools are naughty.
--
clvrmnky <mailto:spamtrap@xxxxxxxxxxxxxxxx>

Direct replies will be blacklisted. Replace "spamtrap" with my name to
contact me directly.
.

Loading