Basic OS X security
Following on from my post about OS X security the other day I thought I’d write a couple of quick tips regarding OS X security. Most of this is pretty obvious, but should still be considered by even the most experienced of users from time to time.
Choose a secure password; this is important. If you don’t have a secure password (and most people don’t have a password at all) then you are SOL if anyone even knows you have a machine. Since the odds are you are running as an Admin user all the time (tut, tut) this can be a major security hole. OS X will help you choose a secure password if you wish, by providing Password Assistant as an option when creating or changing a password. Passwords should be mixed case, alphanumeric, include symbols, not be obvious and preferably 8 or more characters (12 minimum if you are all paranoid). Ideally they should not be anything which makes sense at all, in any language or formula.
Of course you know this. Did you know though that you can set a password security policy across all users of a given machine without OS X server though? Of course, using OS X server you can provide this function across users on all machines, but on a single home machine shared among family members this can be quite useful. Check out this terminal command:
sudo pwpolicy -a adminusername -setglobalpolicy "usingHistory=12 minChars=8 requiresAlpha=1 requiresNumeric=1 maxFailedLoginAttempts=5"
So you are using sudo to allow access to the policy which says that all users of this machine must meet the following criteria with their passwords: users cannot reuse the last 12 passwords they have used, their passwords must be at least 8 characters long, alphanumeric and all users will be locked out if they fail to enter a valid password 5 times. This is a pretty standard security practice among corperates and stands up well in real world testing. Of course, the values can be changed to meet your requirements or the policy of your workplace.
There are tons of cool tricks you can do with OS X security, just be sure to read one of the many long lists online and follow as many as possible: it’ll make you far less vulnerable. Be sure to remember however that given physical access to the machine, you are pretty much dead in the water without full encryption which can also be as big of an issue for you.