Securing your Mac against passwordless login

Last night a critical flaw in the latest version of macOS High Sierra was announced on Twitter. The flaw enables you to login to the Root (administrator) account on any Mac computer running High Sierra by merely entering "root" as the username and a blank password.

This security flaw is genuinely devastating and enables anyone with physical access to your machine full access to all of your files, passwords for online services, everything.

So what can you do to protect yourself while Apple releases an emergency patch?

Here's a step-by-step guide to getting you secured that will walk you through;

  1. Enabling FileVault, this will encrypt the contents of your hard disk drive, and so long as your machine is shut down, nobody will be able to access your system unless it is logged in - if your laptop got stolen for example.
  2. Settting a password on the Root account from the terminal, this will ultimately disable this vulnerability and combined with enabling FileVault put you in a much safer position should someone gain physical access to your machine.

Turn on and set up FileVault:

(If you already have FileVault enabled then skip ahead to 'Set a Root password')

When FileVault is turned on, your Mac always requires that you log in with your account password. 

  1. Choose Apple menu () > System Preferences, then click Security & Privacy.
  2. Click the FileVault tab.
  3. Click the Lock button, then enter an administrator name and password.
  4. Click Turn On FileVault.
  5. If other users have accounts on your Mac, you might see a message that each user must type in their password before they can unlock the disk.

For each user, click the Enable User button and enter the user's password. User accounts that you add after turning on FileVault are automatically enabled.

Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:  

You can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.

You can choose to use your iCloud account to unlock your disk and reset your password.

If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk. 
After your Mac starts up, encryption of your startup disk occurs in the background as you use your Mac. Encryption takes time, and it happens only while your Mac is awake and plugged in.

All done! - now we need to set a password on the Root account to entirely disable this vulnerability.

Set a Root password:

1. In Finder, click "Applications" in the left-hand favourites pane.
2. Scroll down to the "Utilities" folder and double-click
3. Double click "Terminal."
4. A small window will appear with a flashing text prompt, type the following:

sudo passwd root

5. Hit the enter key and you will be asked to type in your login password, hit enter and the following message will appear:

Changing password for root.
New password:

6. Enter a secure password that you will remember, hit enter and type the password again when prompted.

That's it! You are all done. You have now successfully enabled full disk encryption to secure your data at rest from physical theft, and you have enabled a Root password to stop people from being able to login to your device and access your data.

If you need help with this issue or would like to know more about how Cocidius Defence can help your organisation secure their systems, get in touch with us today, and we'll be more than happy to discuss your needs.