Total security is a total pain
Security is a pain. Too much security gets in the way of productivity. Too little and the world owns your bank account. Finding the right balance is difficult. For me, securing my laptop has proven to be a challenge. Sure, I can lock it down so it requires a drop of blood every time I wake it up, but that’s too painful (and I need the blood). So I found a decent balance that you may want to try.
No Auto-Login
Mac OS X supports auto-login where the computer just boots to my user. That’s great for a desktop computer at home. But a laptop gives up all your data, instantly, to the first thief that comes along. At a bare minimum, make your computer require a password each time it boots or wakes from sleep.
Go to System Preferences -> Security.
- Turn on “Disable automatic login”
- Turn on “Require password to wake this computer from sleep or screen saver”
Hard Passwords
Make sure your login password is harder than just your username repeated twice. It should have at least a number and even a punctuation mark. Once login is locked, a person cannot casually open your computer and access your data. A thief would be able to gain access, but at least it’s not handed to them on a platter.
A harder login password is only part of the password equation. Passwords should be:
- Individual – Never use the same password twice
- Hard – A mixture of letters, numbers and even punctuation
- Long – At least eight characters
A good password for a banking website could be something like: w!8L_565yQ(k8eb2
And never use that password for any other site.
Remembering Passwords
But wait a minute. How can someone possibly remember all those different, hard passwords? You can’t. Nobody can. We have no choice. Good passwords prevent people from accessing your bank, credit card, telephone accounts. If someone takes your laptop, they will know what websites you visit. They may even find the usernames you use to login.
What we need is a way to remember the passwords, but that a thief cannot access if they take your machine.
Keychain
Every Mac comes with a program called Keychain. It’s a system program that encrypts valuable data into a secure file typically in the /Users/YOURNAME/Library/Keychains folder. These files are very hard to crack. Without the keychain unlock password, the files require a very difficult attack to open — far beyond a common thief. Never assume that your laptop wouldn’t end up in someone’s hands that could open the file. But you can assume that properly locked, it will take them a while to break it. This gives you time to change your passwords on the websites stored in the Keychain.
Keychain Access
By default, Mac OS X creates a keychain called ‘login’. It is created with the same password you use to log into your system. Also by default, that keychain is unlocked every time you log into your computer. But maybe we could be a little more paranoid.
- Open Applications -> Utilities -> Keychain Access. In the upper left window, is probably a small unlocked padlock next to the word “login”.
- Click Edit -> Change settings for keychain “login”
- Turn on “Lock when sleeping”
- If you are more paranoid, select “Lock after X minutes of inactivity” and set the number to how long you want it to wait before locking.
- Save and quit Keychain access
Now the keychain will lock when you put the computer to sleep. Or if you set it, after a period of inactivity.
Sidetrack: Resetting Login Passwords
To reset your system login password, you go to System Preferences -> Accounts, click your account, and hit Change Password. It also changes the keychain ‘login’ password to match. BUT, if you have to reset your system password using the install disk, the keychain ‘login’ password will not change.
So, if a thief has access to a compatible install disk for your laptop (install disks are tied to groups of serial numbers), they can reset your account password. But they cannot reset your keychain passwords. They still have to crack to the ‘login’ password to gain access.
Keychain Trouble
Keychain is a wonderful system, but it falls short in certain areas. It cannot remember multiple usernames and passwords for a website. I have several GMail accounts. Keychain will only remember one. Also, if you change computers or have to do a from scratch install (which is likely if someone steals your machine), the login.keychain file won’t like it.
What we need is a Super Keychain. Something that’s just as secure, but offers more features.
1Password
1Password is the best password manager on the market. The developer did something so smart, it’s a wonder no one else did it before. Rather than reinventing the wheel, he uses the Keychain subsystem to save and encrypt all his data.
What does this mean?
1Password doesn’t create a proprietary, unknown, file for storing passwords. It stores them in a system standard keychain file right next to the login.keychain. It’s brilliant. It’s the same level of encryption as keychain and any improvements to the keychain system, automatically improves his program.
It also means that if you lose 1Password, you can still read the 1Password.keychain file using the Keychain Access program in Utilities.
But 1Password does way more than Keychain could.
1Password,
- works in Safari, Firefox, Camino (Keychain by itself only supports Safari).
- supports multiple usernames and passwords for a single website.
- can create very hard passwords for you, and remember them.
- automatically remembers nearly every form you fill out.
- maintains multiple identities to fill online forms with (work, home, vacation house).
- saves passwords for websites trying to prevent saving passwords (like some banks).
I can’t go over every feature here. I highly recommend visiting 1Password.com and watch the movies. The program costs $30 and is worth every penny.
Putting it All Together
I save every password into 1Password. I use a fairly hard password to lock 1Password. I save this password into the “login” keychain. Why? Because I lock the login keychain when the computer goes to sleep. 1Password also automatically locks when the computer sleeps. Now all my keychains are locked and cannot be opened without knowing at least the “login” password (which is harder than my system username password).
When I open my laptop, I have to type my username and password. When my computer tries to use the keychain (getting mail for example) it prompts me for the “login” keychain password. I type that and my passwords are all open.
I use 1Password to fill in web forms and otherwise manage my passwords in the system. I’ve made 1Password bookmarks and I know the keyboard shortcut (see the tutorials. It makes short work of my day.
When I leave my computer in an open area, I turn on the screen saver or shut the laptop (either way locks all keychains and password protects my computer).
If a thief gets my machine. They will have to break a lot more security to get to my truly sensitive information. If they can get an install disk, they will probably reset my password and look through my files. But my keychains are still locked and protected. This gives me time to load a new computer with my backup data (you are backing up your computer, right??!!), open my 1Password keychain file, and start going to websites and changing my passwords.
One More Thing
There are files on my computer that I don’t want anyone to read. Financial files. Personal files. I don’t need my whole system encrypted just to protect this data. So instead, I created a lock box, or safe, on my computer to store sensitive data.
To create a safe:
- Open Applications -> Utilities -> Disk Utility
- Click “New Image”
- Save As: Try something innocuous like “stuff”
- Where: I usually save to the desktop and move it later
- Size: I typically set to about 40 MB which will hold a lot of documents but not a ton of images
- Encryption: Select “AES-128 (recommended)”
- Format: Sparse disk image which creates an image just large enough to hold any data it contains but not the whole 40 MB in size (remember, you have to back up this file so smaller is better)
- Click “Create”
- A window pops up asking to create a password (and verify it)
- It’s up to you whether to save the password in the ‘login’ keychain
- Click “OK”
What’s created is a file called stuff.sparseimage (using my Save As name of ‘stuff’). It’s a disk image that can be mounted and unmounted on your computer. It should first be automatically mounted after it’s created. You will see a drive icon with the disk image name under it. Double click it.
It’s blank. It’s just a virtual disk to save things into. Save financial information, personal files, anything worth protecting into it. It can handle text, images, doc files, open office documents. You can create folders and organize your data inside.
When finished, ALWAYS remember to “Eject” the image by dragging the drive icon into the trash (which should appear as an eject icon when the drive is dropped on it). The virtual drive automatically encrypts all the data when it’s unmounted (ejected). To open the drive again will require the password (either from the ‘login’ keychain which will happen automatically or you have to type it in).
Move the virtual disk file (sparseimage) someplace meaningful on your computer. When you need it again, just double click that file.
Remember, if you don’t unmount (eject) the opened disk image, a thief will have access to the decrypted data. Only unmounted disk images are securely encrypted.
Nobody’s Perfect
1Password, keychain, encrypted disk images will not save your computer from a determined cracker. But it will do the job most of the time. It’s not a perfect system. Nothing is. Total security is a total pain. Find a balance you can live with and do it.