Screen Saver Password Protection - Security Flaw
Although I have always felt OS X has been a solid and secure operating system, there continues to remain one painful, and blatant security flaw. I keep thinking that Apple will address the issue, but they certainly haven't done so thus far.
Explanation:
With any good security policy, and in any secure environment, there will always be a need to "lock" (password protect) a system when not in use. That is, after 'X' period of time, the user interface is password protected so as not to allow access to the system while not in use. This is probably the most common and fundamental security measure in any environment. However, Apple's (GUI) password protection falls short in a number of ways. The only current method of password protecting the user interface is through the Screen Saver. Although at a glance it appears functional, it is a poor design and is easy to disable.
The screen saver configuration lies within two files; the ~/Library/Preferences/com.apple.dock.plist and ~/Library/Preferences/ByHost/com.apple.screensaver.<variable>.plist. It is especially important to note that both of these files are located in the users home folder, which gives them full access to the configuration files. There is absolutely nothing preventing a user from deleting these files, and thus, disabling the only mechanism to password protect the user interface. Giving the user the ability to disable or remove ANY security related configuration is a poor design.
Now initially we thought we had a solution by setting the user immutable flag on the ByHost screen saver plist using chflags. This would still allow user access, but would prohibit them from deleting the ByHost plist. Well, it sounded good in theory. However, if ~/Library/Preferences/com.apple.dock.plist is deleted, you can say goodbye to your password protected screen saver, despite locking the screen saver plist. So naturally the idea occurred to me to set the user immutable flag on ~/Library/Preferences/com.apple.dock.plist. This works, but makes it impossible to modify the Dock. Needless to say, if the Dock can't be modified, there's no point in even having it.
Now that isn't the only thing wrong with the screen saver password protection. You would expect that an administrator could unlock a users (password protected) screen saver, but you would also assume that the user was logged off as a result. Not in this case... If an admin unlocks a password protected screen saver for a user, they are now logged in as that user and have access to everything the user was doing when it was locked (email, spreadsheets, confidential information... anything). This is not the preferred method. If for some reason an admin needs to unlock a password protected screen saver, it should log off that user, not allow access to the user's session.
Finally, the biggest flaw yet. With a recent update, the password protection doesn't even work, as indicated by several people in the following threads.
http://discussions.apple.com/thread.jspa?messageID=2706417�
http://discussions.apple.com/thread.jspa?messageID=1950444�
http://discussions.apple.com/thread.jspa?messageID=2648700�
I have personally seen this issue while developing our corporate OS X image. Despite any fix or workaround, the simple fact that this has occurred is disturbing. ...As if the design wasn't bad enough, it now has the potential to stop working entirely.
Now don't get me wrong, I love OS X and prefer to work on it over any other operating system. Nonetheless, the current design for the "screen lock" is inadequate at best. For a large enterprise environment with stringent security requirements, it's far from sufficient. My hope in posting this is that someone from Apple acknowledges the design flaw and incorporates a more effective solution into the next OS.
MacBook Mac OS X (10.4.6)
One thing I forgot to mention is that "Workgroup Manager.app" is a part of the "Server Admin Tools" which can be downloaded free from Apple. Although it seems to be primarily intended to be used to configure OS X Server from an OS X Client machine, many of its functions can be used to configure the OS X Client machine itself, in the complete absence of OS X Server. Unfortunately, the 'mcx_settings' aren't really "image friendly" - as far as using them on OS X client is concerned, they are something that seem to need to be applied to user accounts individually (although it is possible to copy all of the settings at once so it isn't necessary to go through the whole configuration process for each setting for each user). I have tried tinkering and applying them to groups, but group members don't seem to automatically be restricted (I may be missing something). The "tools" are available here:
http://www.apple.com/support/downloads/serveradmintools104.html
I don't know if it would be any better than the screen saver "hot corner", but there is an option to lock the screen from the "Keychain Access" menu extra, which can normally be enabled through "/Applications" > "Utilities" > "Keychain Access.app", from its "Preferences". This setting is then stored in the "com.apple.systemuiserver.plist" file (ie independent of the "Dock"), but could in principle be controlled from 'mcx_settings' as well. The level of control seems to be incomplete - the user can still drag the item off of the menu bar, but it returns during the next login. However, it does provide convenient access to a method to lock the screen and keychains, and has a nice "padlock" icon so that its function is obvious. It is also potentially possible to assign a two-step keyboard shortcut to the "Lock Screen" item, but it would be somewhat less convenient than a direct key combo...
One other note regarding the "admin" user's ability to unlock the screensaver. The configuration file allowing the "admin" user to do this is "/etc/authorization", under 'system.login.screensaver'. Currently, the "rule" is set to 'authenticate-session-owner-or-admin'. Changing it to 'authenticate-session-owner' would be expected to remove the "admin" user's ability to unlock the screensaver, and if "Fast user switching" is available, the "admin", being unable to authenticate, should be able to switch to the "login window" from the authentication dialogue. I haven't tested this at all in "Tiger", but in "Panther", there was apparently a problem with it (which is why it had slipped my mind since at the time it was rejected as a viable option) - the person who posts here as "LittleSaint" had mentioned some problem with user logins when set up that way but I don't remember what it was, and so can't test if it has been fixed in "Tiger" (not very reassuring, and I apologize). And again, this is a setting that an "admin" would be able to reverse for themselves. Also, should "Fast user switching" become disabled for some reason, and the screen saver kicks in and the user isn't available, it might be a hassle to get back into the machine (it might be possible to do something over ssh). Nevertheless, it might be something to look in to.
Similar Messages
-
It shouldn't crash just because I type in my screen saver password. But it did. I had to push the power button to shut it down and turn it back on.
Freezes happen occasionally. Hard to pinpoint a cause. I wouldn't let it worry you as they are rare. If this happens often then post back as there may be something wrong.
-
Is it possible to password protect (secure hidden) photos?
Is it possible to password protect (secure hidden) photos?
no
you can put the (or a second) iPhoto library on an encrypted volume - you can not secure particular photos
LN -
Why does screen saver prompt for secure disk image password?
Okay, seems like an odd problem, but here it goes.
I go into System Preferences->Dektop & Screen Saver. As the program "loads" availabe image sources and such I get a pop-up requesting a password to my secure disk image.
Yes, I have a secure disk image in my home directory.
Yes, the secure disk image is currently "locked" (Not mounted in finder).
I click cancel (a few times, probably 2 maybe 3 times) and things continue along fine.
I select a photo source that I want for a screen save and exit peferences.
I then go an start the screen saver (I'm using Hot-Corners).
I get the message "Looking for pictures....." for , well...basically forever...
Sure enough I touch the mouse to leave my screen saver and there is the pop-up again. Asking for me to unlock my secure
disk image.
I thought this might be related to Spotlight. I tried reading several threads and have gone as far as taking my entire hard-drive/volume
and putting it into the "Privacy" tab under spotlight.
Anybody have any idea on what is going on and how I might get it so the "Desktop & Screen Saver" stop prompting me to unlock my
secure disk image? (WITHOUT having to make sure the disk image is unlocked before I sleep my screen or open the screen saver utlity)
As always, I am only speculating that this is Spotlight related so that could be a red-herring....
thanks in advance.
OSX:10.7.3
imac/3.1G/IntelUpdate: i made some progress on this issue. I found that in the ~/picture/iPhot Library/Database/ directory
there is a file called Library.apdb. This file has an entry for the secure disk image i have/had. I moved the file
to Libraryapdb.bkup and sure enough, my picture problem went away. The screen aaver panel no longer prompts
me to unlock my secure disk image.
So now the next chapter of my problem;when i open up iPhoto it wants to rebuild my photo library(which makes
sense and is what i want to haopen) so i allow it. After about 25 mins it has rebuilt the iPhoto library, but there is
one problem. The secure diskimage reference is back in the Library.apdb file that has been recreated!
So now i need to figure outnhow to get iPhoto to remove anynreference to a phot library i once had on the secure
disk image but have long since removed.
I first created an iPhoto library on my secure disk image by holding the option key and invoking iPhoto.
I removed that library awhile ago....
So how do i make iPhoto remove a no longer used iPhoto library? -
How to password protect / secure one memo or all memo's?
Hello.
I have memos in the memopad that I need to password protect.
How can I protect individual memos?
Is there a way I can password protect the entire memopad program (if I am unable to password protect an indivual memo)?
Thanks!
JuggernautThis app adds that functionality to the standard Memopad tool:
http://61moons.com/memolock.php -
HT201406 My screen is password protected and the touch screen is unresponsive. What do I do?
Need help! Not sure why this happened. When I plug it into the computer it says I have to enter the password on the ipod, which iam unable. Reseting it also doesn't work.
Place the iOS device in Recovery Mode and then connect to your computer and restore via iTunes. The iPod will be erased.
iOS: Wrong passcode results in red disabled screen
If recovery mode does not work try DFU mode.
How to put iPod touch / iPhone into DFU mode « Karthik's scribblings -
Cracked screen on password protected lumia 820
i cracked the screen on my lumia 820 and can no longer enter my password. is there a way i can access my photos from the device? even when i connect it to my computer it still requests the phone be unlocked which i can no longer do. any suggestions? thanks in advance
You could try hard resetting it as follows. With the phone powered off, press and hold the vol down +power+ camera buttons. When the phone vibrates, release the power button and release the remaining two buttons 5 seconds after that.
-
Firmware Password Ignored (Security Flaw?)
I'm following Apple's instructions for setting a firmware password on my late 2009 MacBook Pro.
These are detailed in the knowledge base article here: http://support.apple.com/kb/ht1352
Per the instructions, I'm booting from my Snow Leopard DVD, running the Firmware Password Utility, and entering/confirming the password.
When I reboot, I am still able to 1) Hold the T key and enter target disk mode, 2) Hold the C key and boot from my Snow Leopard install disk. At no point do I see a password challenge. The chart in the KB article clearly lists these actions as things that are supposed to be blocked by the firmware password.
Has anybody else tried the same thing with a recent Intel-based MacBook Pro?I have a MBP and just set a firmware password a few hours ago. To make sure it took, I held down option key and also did the keys for open firmware (O + F), C for startup from CD/DVD and T for Firewire target disk mode and nothing worked as it should.
Here's one option for you. Open Terminal. on the command line type: nvram -p
This is the unix command for working with open firmware. The '-p' prints the values of the public variables to the terminal window. Amongst all the gibberish, look for the following line:
security-mode [value here]
If the [value here] on your system says 'none' then, for some reason open firmware didn't take.
If the value is 'command' then it should be working correctly
Also, if you have replaced your internal optical drive with an extra hard disk, make sure you have the volume you want to boot from set correctly in Startup Disk. Amongst the variables that Open Firmware stores is the startup disk. So if you have two internal drives and you set the firmware password on one and you normally boot your computer with the other drive, that could be why its not working for you.
At the very least, I would take the time to try it one more time via the DVD utility. Startup off the DVD, turn off firmware password, restart the machine, startup off the DVD again and set a firmware password and then restart again. I would think it would be fine at that point.
Two cautions:
1) Be careful where and with whom around you use this command as the open firmware password you chose is not encrypted, it is only obfuscated. Unix is actually showing you your firmware password in hexadecimal notation so it could be deciphered by someone who knows how.
2) While you can use sudo with nvram to change open firmware variables, I do not recommend it as I have not tried it and I don't know how your system would behave. So if you choose to do this you do so at your own risk.
Let us know what happens. -
How can I over ride my screen saver passwords to access my iBook G4?
Yesterday, I called Tech. support via Apple and was provide a case number for my issue.
The e-mail that was sent to me did not assist me.
Today, I am told that I would need to purchase a 30 day technical support plan for $50. They would not be able to assist me unless I paid into this (frustrated).
Does anyone know how I can hack into my own iBook G4 without unnecessary expenses?
Any references and or support is greatly appreciated.
Respectfully,
DavidHi, David. Welcome to Apple Support Communities.
Which exact iBook model is it?
You can choose from this list:
http://www.everymac.com/systems/apple/ibook/index-ibook.html
Which version of the operating system is it running now? (Mac OS X 10.0 would not be possible on an iBook which was purchased new in 2004.)
How much RAM is installed?
What kind of optical drive does it have? (CD-ROM, CD-RW, DVD, Combo, or SuperDrive?) -
Password button checked but not required to open screen saver or wake up
I want my iMac to require a password to wake from sleep or restore the screen. The button for this option (Require password to wake this computer from sleep or screen saver) is checked under Security, but is not being used. I tried unclicking and reclicking the button, and I tried making sure iTunes is turned off, in case having a radio station playing prevents something from happening, but no luck. Any suggestions?
DavidI have seen many threads about this over the years, and have even seen it on my own Mac (but it's working fine right now.) The long and the short of it is that I no longer trust that feature to work as advertised. Now I fast user switch to the login window before sleeping my Mac or leaving it unattended. The next person to use the Mac will need to enter the account password to get back in, so this really works just as well as what the screen saver password is supposed to do.
I even wrote a little script to switch to the login window and then put my Mac to sleep when I press Command-F13. I can share how to do that with you if you like. -
Password protected screen lock application
I need a screen lock software which locks the phone screen with password protection. Which means, screen lock/unlock should be made only on entering password..
I searched for many screen locker apps, but no one comes with password protection..
Pls give me a password protected screen locker app..
I need a screen lock software which locks the phone screen with password protection. Which means, screen lock/unlock should be made only on entering password..
I searched for many screen locker apps, but no one comes with password protection..
Pls give me a password protected screen locker app..
Solved!
Go to Solution.Go to Phone-->Settings-->Phone Management-->Security-->Lock Code
or refer Pg. No. 177 of http://nds1.nokia.com/phones/files/guides/Nokia_X6-00_UG_en.pdf
--------------------------------------------------------------------------------------------------------------------------------------------------------If you find this helpful, pl. hit the White Star in Green Box... -
Missing password window when waking from screen saver
I've had some issues with waking from sleep once I turned on the screen saver password. I opened the lid and the screen lit up and I had the mouse pointer--but no user name/password box.
I tried opening/closing the lid a few times, plugging it in to an external monitor, etc, and no luck. I ended up having to hold the power key down until the machine turned off and then I rebooted, and I lost some work.
Is there any way to force a login screen?I have a simple solution, go to your "Energy Savings" setting under the System Settings, once there move the slider-bar so that your screen saver is never activated. Now move the slider-bar so the system goes into "stand-by" mode after 5-10 minutes, thus once opened again, should prompt you to enter your password..?!
Please ignore the "Windows" terms. I'm a new Mac user, but this solution has seamed to work in my case, at least until a "Fix" is made. -
How do you turn off the password requirment to unlock from screen saver?
In mac system prefrence under the secuirity options there is no checkbox or way to turn off the password requirment while the mac is on screen saver mode or sleep mode? I read in mac help that there should be an option?
Can you try logging on as another administrative user? (Make another user, if necessary.)
And just for the heck of it, if you click the lock and unlock the rest of the controls, does the checkbox appear?
Another thought: is your computer part of a Windows domain or other network? Is there a policy on the network to require a screen saver password? (For example on my office's Windows network, a screen saver password requirement is set in the Group Policy. I'm assuming that something similar can be done with an OSX server, if you haven't joined the Mac to a Windows Active Directory network.) -
Firefox doesn't prompt to save password.Remember password in security tab ticked
Firefox 5.0.1 does not prompt to save password.
Save password in security tab (tools/options) is tickedMake sure that you do not run Firefox in permanent Private Browsing mode.
*https://support.mozilla.com/kb/Private+Browsing
*You enter Private Browsing mode if you select: Tools > Options > Privacy > History: Firefox will: "Never Remember History"
*To see all History and Cookie settings, choose: Tools > Options > Privacy, choose the setting <b>Firefox will: Use custom settings for history</b>
* Deselect: [ ] "Permanent Private Browsing mode"
See also:
*http://kb.mozillazine.org/User_name_and_password_not_remembered -
Is it possible to password protect applications?
I'd like a password to be required when accessing various programs, Mail for example. I know you can require a password when checking for new mail, but that leaves access open to previously sent and received messages. I want a password dialog box to pop up when the program is launched, protecting access to that program under that user. Is this something possible with the Keychain or is there a third party app for this?
Thanks for any help.
C
PowerBook G4 1.5 GHz Mac OS X (10.3.7)Messages are not part of the application. Protecting the application would do nothing to protect the data, which can be easily viewed without using Mail.app.
In general, sensitive data can be stored in an encrypted disk image. I am not sure how easily that could be done with mail.
The best approach, however, is to use OS X's user model. Each user should have his own account. People who shouldn't see your mail should not have access to your account. That, along with locking in the screen saver provides more security than locking an application could do.
Maybe you are looking for
-
Please check my EtreCheck report. Thank you!
Problem description: Slow performance since upgrading to Yosemite. MacBook Pro, 2.4 Ghz, 4 GB Ram. 40 GB free disk space. EtreCheck version: 2.1.8 (121) Report generated February 4, 2015 at 12:02:03 AM EST Download EtreCheck from http://etresoft.co
-
Adobe Muse CC trial has expired and now I cannot enter a activation code for the product
I installed Muse and the original instructions I obtained from my corporate office stated to use the enterprise key for our Adobe package and then accept the trial for Muse. The trial version of Muse has expired and I have a serial number but I can n
-
How to control framerate in f4v/flv files in a Build / Flash process?
I am quite new to Encore and would kindly ask for an advice. I am trying to build Flash material from projects, to be played from local PC, not necessary to be used as internet stream. In the final material I just run "index.html" and it plays in my
-
My internet hasn't been working with out wi fi. It's been like this since last week!!
oh boy!! No facebook! No navigator! No nothing! I saw my phone wasn't working the right way when I had step out of my house and notice I couldn't update my status on facebook. So I thought maybe reseting it would help but ehh no help. So when I got h
-
Assigning a datasource for a TREX index
I'm trying to create an index to search an internal web site at my company. I've created a web crawler, a web repository and other necessary items. Following the instructions I have to create the index, I need to set the data source of the index to t