Home
Posted By: deniro Securing a desktop mac - 08/01/14 04:42 PM
This may sound paranoid, but many break-ins nearby got me thinking about whether I should take steps to make my mac secure. Maybe you can afford $1000 for a new computer for two years, but I can't. I've had this one for eight.

1) Do you think I should log in/log out of my account when I startup my Mac and shut it down? I find it annoying, and since I'm the only user.

2) I've read about cables that attach to the mac, locking it to a table or something. What do you think about this?

I know laptops get stolen, but I would think my desktop is safe.

I appreciate your responses.
Posted By: alternaut Re: Securing a desktop mac - 08/01/14 05:08 PM
I'm afraid you can't have it both ways: either you opt for ease of use, or for security. It's up to you to assess your risk, given your home and its security. Adding theft impediments like security cables will thwart casual or hit & run theft, but may not deter the determined burglar who manages to get in when you're out. But the age of your Mac is a deterrent by itself, because the halfway knowledgeable thief will pass it by for greener pastures...
Posted By: grelber Re: Securing a desktop mac - 08/01/14 05:19 PM
Originally Posted By: deniro

1) Do you think I should log in/log out of my account when I startup my Mac and shut it down? I find it annoying, and since I'm the only user.

I've taken to setting/enabling "Require password for for sleep and screen saver" under Security & Privacy in System Preferences. There are a number of time frames which one can choose; I chose "after 1 hour". I don't find that it's all that inconvenient. And it would foil "drive-by" thieves.
I've also disabled automatic login.
Posted By: deniro Re: Securing a desktop mac - 08/01/14 06:32 PM
When it comes to theft, I guess I'm not just worried about the computer itself, but what I have on the hard drive. Some minor financial stuff, letters, address book, calendar, personal but not especially vital stuff, except for my passwords.
Posted By: tacit Re: Securing a desktop mac - 08/01/14 07:05 PM
If you're worried about data, I recommend keeping good backups on external media. (You do do that already, right? Right?)
Posted By: artie505 Re: Securing a desktop mac - 08/01/14 07:21 PM
You've mentioned that you work with highly confidential proprietary info; how does it fit into your equation, if at all?
Posted By: dianne Re: Securing a desktop mac - 08/01/14 07:32 PM
deniro,

As regards the files on your hard drive which you do not want to be accessible to a thief, you might review and experiment with the information in: How to create a password-protected (encrypted) disk image.

My usernames, passwords, account numbers, answers to security questions, and social security numbers are accessible only through a strong password for my .sparsebundle disk image.

Special Note: Important: If you forget the password, data stored in the encrypted disk image cannot be retrieved. If you have saved the password in the keychain, the password will be available to you there.
Posted By: artie505 Re: Securing a desktop mac - 08/01/14 07:51 PM
Originally Posted By: dianne
My usernames, passwords, account numbers, answers to security questions, and social security numbers are accessible only through a strong password for my .sparsebundle disk image.

Special Note: Important: If you forget the password, data stored in the encrypted disk image cannot be retrieved. If you have saved the password in the keychain, the password will be available to you there.

My passwords, etc. are similarly protected, but it should be noted that storing the sparse image's p/w in your keychain leaves its p/w no stronger than your keychain's, because it will be auto-entered.

In my instance, my sparse image's p/w is not stored in my keychain and is protected by a much stronger p/w, because the info it contains is far more critical. (I never allow keychain to auto-enter critical p/w's.)
Posted By: ganbustein Re: Securing a desktop mac - 08/01/14 08:57 PM
You can have it both ways. I have a second keychain, set to auto-lock after 5 minutes, that contains all my high-security passwords. The login keychain contains low- and medium-security passwords.

My financial records are stored in an encrypted disk image file, with a ridiculously long password. That password is stored in my high-security keychain.

When I launch an application like Quicken that wants access to my financial records, it tries to auto-open its most recent document, which through the magic of aliases causes the encrypted disk image to try to mount.

The disk image needs a password to mount, but the system notices that the password is in the high-security keychain, so it asks first for the password to that keychain. If I enter the correct password, the keychain unlocks, the disk image password is retrieved, the disk image mounts, Quicken is happy, and in short order the keychain auto-locks. (Quicken continues to be happy; the disk image's password is needed only to mount it, not to keep it mounted.)

If I don't enter the keychain password, clicking "Cancel" instead, the system says "OK, then, can you give me the password to the disk image?" If I knew it, I could enter it then.

When I'm through with Quicken, I have to remember to unmount the disk image, both to secure it again, and to let Time Machine know it's now safe to back it up. (TM will not back up a disk image, secure or not, while it's mounted.)

My login password is relatively strong, a compromise between security and convenience. I need to type it to log in, and to wake from sleep/screen saver. My high-security keychain has a much stronger password. I only need to enter it a few times per month, so brevity is not important.
Posted By: dkmarsh Re: Securing a desktop mac - 08/01/14 10:52 PM

Originally Posted By: artie505
You've mentioned that you work with highly confidential proprietary info; how does it fit into your equation, if at all?

Sure you're not thinking of JoBoy?
Posted By: artie505 Re: Securing a desktop mac - 08/01/14 11:09 PM
That thought crossed my mind shortly after I posted, and I immediately forgot to check.

Thanks for correcting me.
Posted By: joemikeb Re: Securing a desktop mac - 08/02/14 01:09 AM
Originally Posted By: tacit
If you're worried about data, I recommend keeping good backups on external media. (You do do that already, right? Right?)

I agree with Tacit about backups, but if there is any risk of losing physical control of your computer then local backups are unlikely to be of any use in data recovery because they will most likely be stolen along with the computer. A heart to heart conversation with your insurance provider would definitely be in order and they may be able to save you some money on offsite data storage.
Posted By: artie505 Re: Securing a desktop mac - 08/02/14 06:39 AM
Originally Posted By: ganbustein
My financial records are stored in an encrypted disk image file, with a ridiculously long password. That password is stored in my high-security keychain.

If I don't enter the keychain password, clicking "Cancel" instead, the system says "OK, then, can you give me the password to the disk image?" If I knew it, I could enter it then.

My login password is relatively strong, a compromise between security and convenience. ... My high-security keychain has a much stronger password.

Isn't that scheme fallacious?

Your "ridiculously long" p/w is no stronger than the weaker, albeit "much stronger" one that unlocks your high-security keychain.

My login p/w is ridiculously weak, but there's no risk involved, because my deuced Mac(hina) is a one-person machine.

For peace-of-mind, rather than immediately necessary security, though, I use a much stronger p/w to unlock my keychain and a very significantly stronger one to unlock my sparse image.
Posted By: ganbustein Re: Securing a desktop mac - 08/03/14 09:50 PM
Originally Posted By: artie505
Isn't that scheme fallacious?

Your "ridiculously long" p/w is no stronger than the weaker, albeit "much stronger" one that unlocks your high-security keychain.

My login p/w is ridiculously weak, but there's no risk involved, because my deuced Mac(hina) is a one-person machine.

For peace-of-mind, rather than immediately necessary security, though, I use a much stronger p/w to unlock my keychain and a very significantly stronger one to unlock my sparse image.

It would be fallacious only if I thought the ridiculously long password was the one protecting the disk image. I know the password of the keychain is the weak link, but I chose it to be strong enough for my needs. When I created the disk image, I let the system auto-generate a password what it believed to be a maximally secure. But such passwords are actually weaker; any password you cannot remember must be written down somewhere, and is only as secure as wherever it's written. The solution to this conundrum is to write it somewhere it's protected by a password you can remember.

This is the way password managers like LastPass or 1Password are usually used. The user lets the system auto-generate unique passwords that the user never intends to ever enter or even remember. It's up to the password manager to remember them, and the strength relies on a single "good enough" password that protects the password manager's data. Using a single password to protect all the "real" passwords makes that password easier to remember, by dint of being entered more often. You get the convenience of only having to remember one password with the security of having separate passwords for separate uses.

I'm too cheap to spring for a commercial password manager. This is how I set up my own system along the same model.
Posted By: tacit Re: Securing a desktop mac - 08/03/14 11:30 PM
A former lover of one of my girlfriends had her house broken into and her iMac stolen, but the thief didn't take the external backup hard drive.

I keep good backups on more than one external hard drive, one of which is actually in a physically different location and accessible over the Internet. smile
Posted By: jchuzi Re: Securing a desktop mac - 08/04/14 06:57 PM
A lot of this may have already been discussed, but it's still worth reading How to secure and lock down your Mac.
Posted By: artie505 Re: Securing a desktop mac - 08/06/14 05:09 AM
OK, that makes sense. You had me worried for a moment.
Posted By: artie505 Re: Securing a desktop mac - 08/06/14 05:16 AM
Thieves are after readily salable big bucks items, and an HDD doesn't qualify unless the thief has broken in to your home looking for info, in which case you're in more trouble than you think.
Posted By: slolerner Re: Securing a desktop mac - 08/13/14 10:18 PM
My two cents:

My friend works with high security financial information and all of it is stored on the cloud and is accessed via a memory stick key. I don't know how it is done because it is top secret, James Bond kind of stuff.

Second, as with everything else in your home, or apartment, you should have insurance that covers REPLACEMENT value. In addition, you get stuff like liability in case anyone injures themselves on your premises, and you can get a rider for equipment that you take with you, such as a camera.
Posted By: ryck Re: Securing a desktop mac - 08/14/14 09:30 PM
Originally Posted By: slolerner
….as with everything else in your home, or apartment, you should have insurance...

And you should think about where you hide stuff. A security expert told me that professionals, looking for high-value, easy to carry items, go straight to the main bedroom. They know that's where they'll find all kinds of jewelry, et cetera.

He said the best place to hide those items is in a rusty tin can in the garage.
Posted By: deniro Re: Securing a desktop mac - 09/22/14 02:32 AM
Someone mentioned 1Password. Has anyone used it or any other password manager? Any opinions about them, other than the comments in the previous post? I don't like using so many IDs and passwords for web sites.
Posted By: slolerner Re: Securing a desktop mac - 09/22/14 08:34 AM
I keep mine on an excel spreadsheet, but don't leave it on the computer or any backup drive, on a CD and update the file and print it up occasionally, write updates on the printout, and then update the file now and then and make a new CD. Could use a memory stick I guess, but I like having the CD.

Someone I know mentioned creating passwords they can remember by using a number and letter password that is always the same except including the name of the website somewhere in the password, like every other letter, or some other formula. This is probably ok for websites that don't store your credit cards or access your financial information. For those, I use a separate email created for that purpose or sign in name and the passwords relate to that info, easier to remember both.
Posted By: MarkG Re: Securing a desktop mac - 09/22/14 10:53 AM
I use eWallet. It got very good reviews on the app store and it syncs with ewallet for the iPad. It was a little tricky the first time syncing to my iPad. I have no idea what eWallet Go does. As far as the technicals of how secure I can't address that as I don't have the expertise to analyze it, but it says it uses strong 256-bit AES encryption. It is easy to use and I like having all my passwords in one place and only having to remember one password. It also syncs with DropBox. Mark
Just to add as joemikeb said if you lose the master password you're in trouble.
I use with my iMac and iPad.
Posted By: joemikeb Re: Securing a desktop mac - 09/22/14 01:06 PM
Originally Posted By: deniro
Someone mentioned 1Password. Has anyone used it or any other password manager? Any opinions about them, other than the comments in the previous post? I don't like using so many IDs and passwords for web sites.

I have tried several password managers and keep coming back to 1Password. It pretty much does everything, has very flexible options for generating passwords, and can synch with my iPhone and iPad via WiFi or iCloud. One warning, if you forget the "master password" the only recovery is starting over from scratch.
Posted By: ryck Re: Securing a desktop mac - 09/22/14 03:45 PM
Originally Posted By: deniro
Someone mentioned 1Password. Has anyone used it or any other password manager?

I've been using Dataviz' Passwords Plus for so long I can't recall when I first started. It's been very good...easy to use, et cetera. The one drawback was that it doesn't sync my desktop iMac with my iPad...unless they've fixed that since I last asked - about 18 months ago. (I haven't checked recently)

Originally Posted By: joemikeb
[quote=deniro]Someone mentioned 1Password. .... One warning, if you forget the "master password" the only recovery is starting over from scratch.

Ditto for Passwords Plus.
Posted By: deniro Re: Securing a desktop mac - 09/22/14 04:39 PM
Quote:
One warning, if you forget the "master password" the only recovery is starting over from scratch.


What do you mean? What do have to do?
Posted By: ryck Re: Securing a desktop mac - 09/22/14 07:58 PM
First, you weep.

You will be the only person who knows your password. If you forget it, neither you nor the software publisher can open the application. So you'll have to start all over and enter every single password again.

However, you got this kind of software because you can't remember all your passwords and didn't want to leave a document laying around that someone else could access.

Now, there's a pickle. You need to re-enter all your passwords but you can't.

I took the approach of creating a Master Password that is very unlikely to be guessed but which is easy for me to remember. I also have it stored in a couple of places - my daughters' heads. They have it because, if anything ever happened to my wife and me simultaneously, they'd need access to my passwords.
Posted By: slolerner Re: Securing a desktop mac - 09/22/14 08:53 PM
Quote:
And you should think about where you hide stuff. A security expert told me that professionals, looking for high-value, easy to carry items, go straight to the main bedroom...

He said the best place to hide those items is in a rusty tin can in the garage.


Problem solved. Keep your master password in a rusty tin can in the garage. Tada! laugh
Posted By: ryck Re: Securing a desktop mac - 09/22/14 10:26 PM
Originally Posted By: slolerner
Problem solved. Keep your master password in a rusty tin can in the garage. Tada! laugh

Perfect. They're never looking there. grin
Posted By: joemikeb Re: Securing a desktop mac - 09/23/14 03:37 PM
Originally Posted By: deniro
Quote:
One warning, if you forget the "master password" the only recovery is starting over from scratch.


What do you mean? What do have to do?

That has happened to me (which in one reason I have tried so many password systems). An early version of Keychain hiccuped and lost the keychain file. There was, of course, no remembering all the various sites much less the passwords so I ended up resetting the passwords when I logged onto each and every site to rebuild the Keychain file. It took for blooming EVER!

Keychain and OS X file management are far more stable these days — thank heavens, but now I take a sixfold approach.
  1. The keychain is backed up in Time Machine
  2. The keychain is synchronized in iCloud which has the added benefit of making the passwords available on my iPhone and iPad.
  3. I have a logon and wake from sleep password so keychain can fill in the userid and password even on sites that normally exclude automatic password entries
  4. I have the most important and critical passwords in 1Password
  5. 1Password is also backed up in Time Machine
  6. 1Password is synched with iCloud and my iPad.

I use different passwords for Keychain and 1Password and store the Keychain password in 1Password and vice-versa. Keychain does a good job of suggesting secure passwords for new sites or when changing a site password, but it is not as flexible as 1Password in that regard. I have encountered sites that will not accept the Keychain suggestion, but I have always been able to adjust the 1Password suggestions to work with any site. An interesting sidelight is the difference in how secure each of the utilities thinks the same password is. The difference is sometimes night and day.
Posted By: slolerner Re: Securing a desktop mac - 09/23/14 04:04 PM
I thought I heard iCloud was hacked...

But then again, so was Home Dept. I had credit card fraud (not debit card) from Walmart and Hertz, both in states I have never been to. I never shopped at Walmart and never rented a car from Hertz. It's just out there. Purchase a monitoring service until they eliminate this whole shoddy password and card swipe system, IMHO.
Posted By: grelber Re: Securing a desktop mac - 09/23/14 06:34 PM
RE I thought I heard iCloud was hacked...

According to Apple and other sources, that was the 'cheap' way of explaining what happened. As I understand it, users of iCloud (especially those who didn't even know their photos were being uploaded to iCloud by default – ie, had no clue how their iPhone and other such devices worked – but could have circumvented the problem by disabling the automatic/default option of iCloug backup) were hacked the good old-fashioned way, via 'brute force', to obtain poorly constructed passwords.

EDIT: Along those lines, see this season's premiere episode of The Big Bang Theory, whereby Sheldon's (rail)road trip photos were saved to the Cloud and retrievable after his mobile was stolen.
Posted By: deniro Re: Securing a desktop mac - 09/24/14 06:10 PM
Thanks for everyone's advice. Good stuff.
Posted By: deniro Re: Securing a desktop mac - 09/29/14 07:48 PM
What do people here think about staying logged in to web sites? Should I log out of a site every day? Every time I'm done with it? Amazon? This site?
Posted By: alternaut Re: Securing a desktop mac - 09/29/14 09:36 PM
While there is a difference between private and public computers, it is generally safer and more secure to log out when you're done on a particular web site, and log back in when you need to do more business there. For instance, many financial web sites will log you out automatically after a certain period of inactivity to increase the safety of your data. More musings on this topic can be found on this Lifehacker page.
Posted By: ryck Re: Securing a desktop mac - 09/29/14 09:41 PM
Originally Posted By: alternaut
For instance, many financial web sites will log you out automatically after a certain period of inactivity to increase the safety of your data.

My bank suggests not only logging out but also closing the browser to clear out residual information. I seem to recall that joemike's bank had even more stringent recommendations.
Posted By: tacit Re: Securing a desktop mac - 09/30/14 05:23 AM
I usually stay logged out. But then, I'm usually on my laptop these days, and I administer some sites that could cause significant grief if someone were o log in as me. I'm on a laptop most of the time, so I'm always concerned about the possibility of someone making off with my computer.

On my desktop system, I often stay logged in.
Posted By: joemikeb Re: Securing a desktop mac - 09/30/14 06:46 PM
Originally Posted By: deniro
What do people here think about staying logged in to web sites? Should I log out of a site every day? Every time I'm done with it? Amazon? This site?

If I have logged onto a site where I do not conduct any financial transactions, such as this one, I seldom, if ever, log out.

If it is a site where I conduct any sort of financial transactions such as making a purchase, or paying a bill, I always log out and at the very least close the site window if not quitting the browser immediately after the transaction. To my knowledge that is perhaps the very oldest and hoariest of security recommendations. It goes back to the days when the primary security concern was a hacker hijacking your connection to a site. Since that time there have been numerous improvements in browsers and servers intended to defeat that practice. But habits are hard to break and just because a technique is old does't mean it no longer works or more importantly that all servers have good protection against such attacks. I am waiting to receive my third debit card in less than 12 months because it has once again been compromised by attacks on third party sites (not me and not my bank but some merchant.)

Note 1: I am getting more than a little "antsy" about sites that allow you to log in using a Google or Facebook ID. I will never login to a site to conduct financial transactions using Google or Facebook login nor will I do business with a merchant who uses Google or Facebook logins. IMHO that is simply too vulnerable to exploitation.

Note 2:I will definitely get an iPhone 6 and an iWatch because of Apple's more secure charge card scheme. The time is coming when I will feel forced to quit trading with merchants that are too cheap to upgrade their credit card readers and sites to work with the security chip credit and debit cards.
Posted By: slolerner Re: Securing a desktop mac - 10/01/14 11:13 PM
I have Firefox set to not remember history and clear all cookies, caches, etc. after quitting. Then if I am logged into two sites at once for some reason, I won't forget to log out of each. Quitting Firefox will clear everything.
Posted By: joemikeb Re: Securing a desktop mac - 10/02/14 12:34 AM
Originally Posted By: slolerner
I have Firefox set to not remember history and clear all cookies, caches, etc. after quitting. Then if I am logged into two sites at once for some reason, I won't forget to log out of each. Quitting Firefox will clear everything.

You are dealing with the vulnerability of someone logging into or having physical access to your computer. The logout and close browser routine is intended to shortstop a vulnerability that arises from a hacker actually hijacking your logon session — while it is in progress. In this case clearing the history etc. is a case of locking the barn door after the horse is long gone.
Posted By: slolerner Re: Securing a desktop mac - 10/02/14 12:58 AM
Got it.
Posted By: artie505 Re: Securing a desktop mac - 10/06/14 07:26 AM
Originally Posted By: joemikeb
I have a logon and wake from sleep password so keychain can fill in the userid and password even on sites that normally exclude automatic password entries.

I don't follow that; would you please clarify?

Thanks.
Posted By: artie505 Re: Securing a desktop mac - 10/06/14 07:41 AM
Originally Posted By: joemikeb
Note 1: I am getting more than a little "antsy" about sites that allow you to log in using a Google or Facebook ID. I will never...do business with a merchant who uses Google or Facebook logins. IMHO that is simply too vulnerable to exploitation.

Note 2:I will definitely get an iPhone 6 and an iWatch because of Apple's more secure charge card scheme. The time is coming when I will feel forced to quit trading with merchants that are too cheap to upgrade their credit card readers and sites to work with the security chip credit and debit cards.

1. I still don't understand people's fears about sites other than those that either have or have access to money or financial records/other critical info.

Somebody who hacks into my eBay or other merchant account, pretty much any of my accounts, in fact, can do no more than either maaaybe embarrass me or pay for it with their own money.

2. How would a merchant site work with a card with a security chip?
Posted By: artie505 Re: Securing a desktop mac - 10/06/14 07:43 AM
> ...a hacker actually hijacking your logon session — while it is in progress.

How is that possible?

Thanks.
© FineTunedMac