How to secure your Mac

Better safe than sorry

When you first set up your Mac, the only security measure that's enforced is that you add a password to your user account. The Setup Assistant makes no mention of extra measures you might want to enable, even though several are built into OS X.

Bear in mind that the features we're about to look at are defences against physical attack, rather than protection against online attacks such as security holes in your web browser or social engineering that tries to trick you into ill-advised action.

1. Turn off automatic login

It's a risk if your Mac is set to log into a user account automatically on startup: all an intruder needs to gain access is hold down the power button to turn off the Mac, then restart.

Automatic login can be disabled under Login Options in Users & Groups, or in Security & Privacy in the General tab.

2. Obfuscate login details

The login window shows account names by default, leaving passwords to be guessed. Under Login Options, switch to 'Name and password' so both need to be entered to gain access.

If you use Fast User Switching, set it to show an icon so the account name can't be read from your screen.

3. Restrict your abilities

The first user you create at setup is an Administrator with top-level rights. It's safer to use a Standard account day-to-day, but an Admin is needed for system changes.

Create a new admin user in the Users & Groups pane, log out, then log into the new account. Select your regular account and untick 'Allow user to administer…' to reduce its rights.

4. Request password to wake

By default, waking a Mac from sleep or its screensaver allows access to whatever account was left signed in. Under General in the Security & Privacy pane, turn on the option that requires a password to wake, and set how soon it's needed.

Anything longer than five seconds presents a risk if your Mac is left unattended.

5. Tighten Keychain security

Your account password also protects your Keychain, so just logging in gives Safari's AutoFill feature, for example. The Keychain can be given its own password so that separate consent is needed.

To do this, simply open Keychain Access (you'll find it in /Applications/Utilities), right-click 'login' in the Keychain list and choose then Change Password.

6. Lock the Keychain

In the same menu as mentioned in the tip above, choose Change Settings… for options that lock the Keychain when your Mac goes to sleep and after a period of inactivity.

In Keychain Access's preferences, you can add an icon to the menu bar to display the Keychain's status and manually lock it. When it's locked though background system services may prompt you for access.

7. An unplugged hole

Without a firmware password, Recovery Mode gives the unfettered ability to reset any account's password by typing resetpassword in Terminal. The Keychain password is unaltered by this, so an intruder won't be able to read website logins in Keychain Access and Safari's Passwords preferences, but they will have access to files stored locally.

8. Set a firmware password

Restart your Mac and hold Command+R at the startup chime to start in Recovery mode.

When it finishes loading, go to Utilities > Firmware Password Utility and set a password. Make sure you don't forget this password – you'll need it on rare occasions such as restoring your Mac from Time Machine, and to use other startup key combinations.

9. P*55wrd tip

It goes without saying that a strong password is one that isn't easily guessed by a person or worked out by a program (and don't use the same password for everything!).

Generally, a good password has letters, numbers and symbols. Be careful using symbols, though, as the keyboard layout in use at the password box may put them on unexpected keys.