Is it possible to bypass the login password?
A friend tells me that on OSX, bypassing password and getting into user's files is very easy (especially when hard disk not encrypted, but protected with user's login password). He tells me this is how it would be done:
- shut down the mac
- hold Cmd+s
- boot up the mac
that is all you need for basic root access -
mount -w /
to get basic read/write
I can't believe it would be that easy. Is he talkin cr*p or what?
Solution 1:
I just did it on my MacBook Air with macOS Sierra 10.12.3 (latest macOS as of 02/2017) and that is indeed actually how it can be done.
As Tetsujin wisely points out, if you have the machine in your hands, then no OS is immune to a simple 'read the disk' attack - unless the drive itself is encrypted.
Of note Cmd+s invokes "Single User Mode" and there are other ways to bypass the login requirement, such as booting into local or internet "Recovery Mode" or booting the drive in "Target Mode". To avoid abuse of these options, you could also use a Firmware Lock. Per the article about "Recovery Mode":
Enable a Firmware Password to Lock Down Your Mac’s Hardware Even with FileVault enabled, someone with access to your Mac could still wipe it from recovery mode and set it up as a new system. A firmware password can protect against this.
This will also help if you don’t want to use FileVault encryption for some reason, but do want to prevent people from changing your password and accessing your files. A firmware password also prevents people from booting your Mac from other devices — like USB drives or external hard drives — and accessing your files if they’re not encrypted. Someone could still rip the hard drive out of your Mac and access its files on another device if you just use a firmware password without encryption, however.
If you set a firmware password, you’ll need to enter it before booting into recovery mode or holding the Option key to boot from a different device. Just powering on your Mac normally without doing anything special won’t require the password, so it isn’t too much additional hassle.
Also of note, per this answer, the impact to performance from activating FileVault on computers using SSD drives is negligible. The only difference the user will likely notice is the need to enter a password prior to booting... and remembering where you stored your "recovery key" should you ever need it.
Solution 2:
Enryption is opt-out so anyone that doesn't have their boot drive encrypted chose to do so out of a decision or inattention/ignorance.
Physical control of the computer gives you total control of the contents of the storage. Before Yosemite, you had to opt in to encrypt your data, so I suppose this is possible / default based on the version of macOS you run up against.
You could also enable a firmware password to prevent booting to single user mode or target disk mode if you wanted a little more protection but had to opt out of encryption of the drive.