When you first set up your Mac, the only security measure that’s enforced is that you add a password to your user account. The Setup Assistant makes no mention of extra measures you might want to enable, even though several are built into OS X. The features we’re about to look at are defenses against local attacks, rather than protection against online attacks. The measures are particularly important if you work in an open environment, such as a library, an office, or a café, and if your Mac is stolen, because they help to keep your data under lock and key.
One thing that isn’t covered here is FileVault, which encrypts everything on your Mac so it’s unreadable to anyone who doesn’t have your password. It’s what you might call a nuclear option, though, and carries a risk: if you lose both your password and backup recovery key, which lets you reset your password, you’re forever locked out of your files. You can store your recovery key with Apple, but three questions must be answered precisely for access, so this also carries a risk. FileVault is extremely secure, but its seriousness means we don’t recommend it for everyone.
1. Turn Off Automatic Login
Automatically logging into a user account on startup is risky. After holding down the power button to turn off the Mac, a restart is all you need to gain access. Automatic login can be disabled under Login Options in the “Users & Groups” preferences pane.
2. Obfuscate Login Details
The login window shows account names by default, leaving passwords to be input. Under Login Options, switch to “Name and password” so both details need to be entered. Changing Fast User Switching to show an icon stops names being read from the screen.
3. Restrict Your Abilities
Daily, it’s safer to use a Standard account, but an admin is needed for system changes. Create a new admin in the Users & Groups pane, log out, then into the new account. Select your regular account and clear “Allow user to administer…” to reduce its rights.
4. Fully Protect
To protect critical settings, log in from an Administrator account, open the Security & Privacy pane, click General, then click the Advanced button and ensure “Require an administrator password to access system-wide preferences” is checked.
5. Request Password to Wake
Waking a Mac from sleep gives access to whatever account was left signed in. Under “General” in the Security & Privacy pane, turn on the option that requires a password to wake, and set how soon it’s needed. Longer than the “5 seconds” option is risky.
6. Tighten Keychain Security
Your password also protects your Keychain, giving access to its contents to Safari’s AutoFill feature, for example, just by logging in. To require separate consent, open Keychain Access, right-click “login” in the Keychain list and choose “Change Password…”
7. Sharing Services
Features in the Sharing pane allow you to log into a Mac remotely or simply copy files. In particular, review the options under Screen Sharing and File Sharing to ensure your Mac and its contents can’t be accessed by just anyone connected to the same network.
8. Lock the Keychain
In the same menu, choose “Change Settings…” for options that lock the Keychain upon sleep or after inactivity. In the app’s preferences, you can add a menu bar icon to show Keychain status and to lock it. When locked, system services may prompt you for access.
9. An Unplugged Hole
Without a firmware password, Recovery Mode gives the unfettered ability to reset any account’s password from Terminal. The Keychain password is unaltered by this, so an intruder won’t be able to read website logins, but they will have access to local files. That’s why you should set a firmware password, as detailed in the next step.
10. Set a Firmware Password
Restart your Mac and hold Command + R at the chime. Choose Utilities > Firmware Password Utility from the top bar. Set a password and don’t forget it — you’ll need it on rare occasions such as restoring your Mac from Time Machine, and to use other startup key combinations.
