You're constantly hearing about how you need to make sure to use a secure password, but what are you supposed to do if a hacker can just change your password without even cracking it? That's what users with physical access to your computer can do on OS X Lion right now.
A similar issue in previous versions of OS X allowed Admin users to access the "shadow files" that store OS X passwords, but in Lion, non-Admin users can access the hash and salt data for passwords, which shouldn't be possible. But that's not all—it seems Directory Services in Lion don't require authentication when requesting a password change for the current user, so even if the encrypted hashes aren't cracked, the password can still be changed.
CNET's got a detailed list of ways to lock down your system until Apple releases a patch, but for now, like disabling auto-log-in, enabling sleep and screensaver passwords, and disabling guest accounts; but the long and short of it is that anyone with physical access to a Mac running Lion can access and change your password relatively easily. So be careful with that, eh? [Defence in Depth via CNET via Techmeme]
Related StoriesView the original article here
This post was made using the Auto Blogging Software from WebMagnates.org This line will not appear when posts are made after activating the software to full version.
No comments:
Post a Comment