A Mac OS X bug has surfaced whereby any local user can change any user’s password using a simple Terminal command. This means that anyone who obtains physical access to a Mac, and who knows this command – not something that your average user will know – can change a password, then log into another user’s account and access their files.
Until this is fixed, it’s a good idea to take a number of precautions, especially if you leave your Mac accessible to others. First, disable automatic login. As we wrote in a recent Mac security tip, this means that you need to enter a password to access your Mac when you start it up. Next, make sure you use a different password for your keychain, so if someone does access your account, they still can’t get at your passwords. Finally, in the General tab of the Security & Privacy preferences, check Require password immediately after sleep or screen saver begins. This means that you’ll need to enter your password more often, but it’s a lot safer. If you put your Mac to sleep when you leave it, then no one will be able to access it without your password.
Apple will undoubtedly issue a security update to fix the bug quickly. In the meantime, the above tips should help you protect your Mac and your files.
Leave a reply