My MacBook was stolen: can the thief access my files without my account password?

Solution 1:

I'm sorry your MacBook was stolen. That really sucks.

Sadly, there are numerous ways to read the data ranging from removing the drive or placing the Mac in target mode. Your password only protects things when the mac is booted into your unmodified OS.

To answer your question, Physical access is total access.

It would be trivial for someone to boot using a Linux LiveCD and mount your drive, thus accessing your files. All they'd have to do to get past your sleep/password would be to hard power down the system.

Additionally, from the link above:

Mac OS X: Single User Mode


To boot a Mac into “Single User mode”, simply boot the computer and press Apple + S when blue first shows up on the screen. Next, mount the harddrive, and either dump the password and crack it with a tool like John the Ripper, or simply overwrite the root password:

# /sbin/mount -wu /
# /sbin/SystemStarter
To dump the existing root password:
# nidump passwd
To create a new root password:
# passwd root

Solution 2:

As Kalamane's answer points out, unfortunately the thief can access your data very easily, as it sits on your disk unencrypted. It is unfortunately trivial to bypass OS X passwords by booting into single user mode.

It won't help now, but for the future, here are two tips that can help in case of laptop theft.

First of all, if you're like me and carry your laptop almost everywhere (so the likelihood of it getting stolen/lost is relatively high), seriously consider Apple's FileVault 2. FileVault 2 encrypts your entire hard-drive, seamlessly. This means that you can still use your computer as normal (you won't even notice that FileVault is on), but in case it gets stolen, the attacker won't be able to read anything from the hard-drive without knowing your password.

Secondly, enable the "Find My Mac" feature available in OS X Lion (go to Preferences - iCloud - Find My Mac). In case your laptop gets stolen, you will then be able to login to icloud.com from any computer, and see the last location where your MacBook has been on a map. You will also get the following interface, which you can use to remotely display a message on your Mac, wipe the Mac completely, or lock it:

enter image description here