The Mac has a spectacular reputation for stability and security. You hardly ever hear of a Mac virus. There’s also no Windows-esque plague of spyware (downloaded programs that do something sneaky behind your back).
Here are a few of macOS’s big-ticket defenses.
These days, having a complicated password isn’t enough to protect you from the bad guys. Even if your password is é$*@çg45e$+!!!>?!+r6ü, someone can still steal it. (There are all kinds of ways. An inside job. An FBI demand. Poor security on a company’s servers. Social engineering, where someone calls up pretending to be you and saying, “I forgot my password.”)
Impressively enough, security experts have come up with a way to keep baddies out of your account even if they’ve got your password.
Here’s how it works: The first time you try to access your account using a new gadget (a new laptop or phone, for example) or a new web browser, the company instantly sends a special, one-time code to a phone, tablet, or computer that it knows you own. You need that code to get into your account.
If some Russian hacker does get your password, you won’t care! He still can’t get into your account, because the code will be sent to your machine, not his.
This ingenious system has earned the awful name two-factor authentication. (Let’s call it 2FA to save paper.)
Now, 2FA is available for your iCloud account. If you turn it on, the odds of someone else being able to access your account (email, calendar, messages, movies, music, backups, photos) drop close to zero. They’d have to have your password and steal your phone or laptop and know your account password on that device.
Note
Just in case you thought you understood this much, note that Apple’s two-factor authentication system is not the same thing as its earlier system, which was called two-step verification. Not kidding. That earlier system was very similar but worked by sending the code as a text message.
2FA is better, because it can send the code not just as a text message, but also with an automated voice phone call or as a dialog box in your phone or Mac’s operating system. 2FA also shows you a map that indicates where the login request is coming from.
Finally, instead of giving you a 14-character “Recovery Key” password to use as a last resort (in case you forget your password and lose your phone), Apple will call you on the phone number you’ve registered in advance to establish your identity and give you back your account. (It takes time, though—on purpose. Apple wants to frustrate the process if the perp is a hacker.)
To turn on this feature on your Mac, open System Preferences→iCloud. Click Account Details, then Security. At this point, you’re offered the chance to set up 2FA. You’re asked for your phone number, and you’re sent one of the verification codes to type in.
Each time you use a new Apple device, or a new web browser, for the first time, you’ll go through this setup process (just once). Each time, you’re adding to your list of trusted devices. At any time, you can look over a list of them in System Preferences→iCloud→Account Details.
Note
All of this works pretty smoothly on gadgets and programs made by Apple. But other companies’ programs—like non-Apple calendar and email programs—aren’t part of it. They’re locked out of your iCloud account just as though they were hackers.
Fortunately, you can go to https://appleid.apple.com/account/manage to generate an app-specific password. If you enter this 16-character password as your iCloud account password in your third-party calendar or email program, it will now be able to access your iCloud account as it did before.
This security feature sends Eastern European teenage hackers into therapy.
Nasty programs aren’t very common on the Mac to begin with. But unless you turn Gatekeeper off, downloading a program that’s secretly designed to damage your Mac is virtually impossible. Gatekeeper won’t even let you install programs that haven’t been proved to be safe (Figure 13-13).
To find Gatekeeper, you open System Preferences→Security & Privacy→General. At the bottom of this screen (Figure 13-13, top), you see three options. These three humble buttons are Gatekeeper.
Click the 
and enter your password to unlock this panel. Here are your choices, under “Allow apps downloaded from”:
App Store. This is the safest option. Every program that Apple allows into its Mac App Store is safe. Each has been tested by Apple to make sure that, among other things, it’s both sandboxed (blocked from accessing parts of the Mac that it doesn’t need) and digitally signed (set up to notify that Mac if it’s been altered in any way since it left the software company).
So what happens if you try to download a program that didn’t come from the App Store? The Mac won’t let you install it, period.
App Store and identified developers. This option, the factory setting, lets you download and install both App Store programs and those from “identified developers.” That means software companies that have registered with Apple and received, in turn, an encrypted code (a “certificate”) that’s embedded in their programs.
This certificate lets Apple track who created the app, and also digitally signs it, as described. Now, Apple may not know this software company, and Apple doesn’t inspect its software. But if anybody reports that some program is actually a virus in disguise, Apple can instantly add that program to its blacklist—and prevent millions of other people from installing it. (MacOS updates its blacklist once a day.)
Tip
As you may have noticed, the third option that used to be here—Anywhere—is gone in macOS Sierra; see the box below. But if there’s one particular non-kosher app you want to run, you can override Gatekeeper just for that one app. To do so, right-click (or two-finger click) the program’s icon; from the shortcut menu, choose Open. In the “Are you sure?” box, click Open.
Weird and roundabout? Yes. But that’s the point: Apple doesn’t want people easily overriding Gatekeeper— because then the Mac could lose its reputation for being virus-free.
Gatekeeper is a pretty powerful disincentive for the world’s bad eggs; if millions of people leave Gatekeeper turned on, the bad guys might as well not even bother. Their apps will never be downloaded and can therefore never spread.
There are, however, some important limitations to note:
Gatekeeper doesn’t uninstall programs you’ve already installed. (Once you’ve run any program once, Gatekeeper never checks it again.)
Gatekeeper is intended to stop malware that you get by downloading. It doesn’t do anything about programs you’ve installed from, for example, a DVD or USB drive.
It doesn’t stop Flash and Java programs.
Overall, Gatekeeper is a pretty convincing barrier to a Windows-like nightmare scenario, where some virus breaks out into the wild and takes down hundreds of thousands of computers. If most people leave the factory setting selected—and they will—that outcome is virtually impossible.
FileVault is one of macOS’s most powerful security features. Understanding what it does, however, may take a little slogging.
As you know, the accounts system is designed to keep people out of one another’s stuff. Ordinarily, for example, Chris isn’t allowed to go rooting through Robin’s email and files.
Until FileVault came along, though, there were ways to circumvent this protection system. A sneak or a show-off could start up the Mac in FireWire disk mode, for example, or even remove the hard drive and hook it up to a Linux machine or another Mac.
In each case, he’d then be able to run rampant through everybody’s files, changing or trashing them with abandon. For people with sensitive or private files, the result was a security hole bigger than Kim Kardashian’s bank account.
FileVault is an extra line of defense. When you turn on this feature, your Mac automatically encrypts (scrambles) everything on your startup hard drive—not just what’s in your Home folder. Every time you create or save a new file, it, too, is insta-encrypted.
Note
FileVault uses something called XTS-AES 128 encryption. How secure is that? It would take a password-guessing computer 149 trillion years before hitting pay dirt. Or, put another way, slightly longer than two Transformers movies.
This means that unless someone knows (or can figure out) your password, FileVault renders your files unreadable for anyone but you and your computer’s administrator—no matter what sneaky tricks they try to pull. (You can, if you like, authorize other account holders to get in, too.)
You won’t notice much difference when FileVault is turned on. You log in as usual, clicking your name and typing your password. Only a slight pause as you log out indicates that macOS is doing some housekeeping on the encrypted files: freeing up some space and/or backing up your home directory with Time Machine.
Here are some things you should know about FileVault’s protection:
It’s useful only if you’ve logged out. Once you’re logged in, the entire drive is unlocked and accessible. If you want the protection, then be sure to log out before you wander away from the Mac.
An administrator can access your files, too. According to macOS’s caste system, anyone with an Administrator account can theoretically have unhindered access to his peasants’ files—even with FileVault on—if that administrator has the master password (the recovery key) described in the box on the next page.
FileVault relies on the Recovery HD partition. You can read about this secret chunk of your hard drive in Tip. For now, the point is that if you’ve deliberately reformatted your hard drive in some nonstandard way, you may not be able to use FileVault.
FileVault can encrypt external drives, too—even flash drives. The controls to do this, though, are in a different place—not in System Preferences at all. Instead, open Disk Utility (in your Utilities folder). Erase the external drive using Mac OS Extended (Journaled, Encrypted) format. (And, yes, you have to erase the drive before you can encrypt it.)
You can turn FileVault off at any time. Just revisit the FileVault pane in System Preferences. (It takes time to decrypt your drive, but you can keep right on working.)
To turn FileVault on, proceed like this:
In System Preferences, click Security & Privacy, and then click FileVault. Click the
, authenticate yourself, and then click Turn On FileVault.Now, remember, FileVault encrypts all your files. If you forget your Mac account password—well, that would be bad.
Yeah, yeah, the peons with Standard accounts forget their account passwords all the time. But with FileVault, a forgotten password would mean the entire hard drive is locked forever. So Apple gives you, the technically savvy administrator, a back door, for use in that situation.
It offers to let you use your iCloud password (your Apple ID password) as the back door. That’s a much more reasonable one than the alternative, the recovery key.
The recovery key is a long, complicated override password like UK84-LVT5-YFX9-XN3K-LT53-PL9N. It gives you another way to unlock the encrypted drive, even without knowing the account holder’s password.
Choose the backdoor method you prefer: “my iCloud account” or “recovery key.” Click Continue.
If you chose the recovery key, the Mac now shows it to you: a long, complicated string of numbers and letters and hyphens. Write it down in a place you’ll never lose it! Then click Continue.
Either way, a list of account holders now appears (Figure 13-14, top). The button next to each one, Enable User, might sound like you’re about to lead someone into drug addiction, but it’s actually your chance to specify who else can unlock the disk by logging in.
For each person you want to be able to log into this Mac with her own password, click Enable User. Type in that person’s password and click OK. When you’re finished, click Continue.
(Anyone to whom you don’t give access can still use the Mac—but only after persuading an administrator to come over and type in his name and password.)
Click Restart.
When you log in again, the Mac begins the process of encrypting your entire hard drive. This process takes a long time (the FileVault pane in System Preferences shows you the estimated remaining time), but you can keep using your Mac in the meantime. In theory, you won’t feel much of a slowdown at all while the encrypting is going on. You can even restart or shut down the computer.
Figure 13-14. Top: You have to explicitly give permission to each person you want to allow to log into your FileVault-protected Mac. Also, you won’t get away with no-password accounts for this trick; Jane, shown here, won’t be able to unlock the disk at all. Click Enable User to add a password to this account.
You shouldn’t notice any speed hit as you work with an encrypted disk, either. You’ll notice only a few small security-related changes. For example, you’ll be asked for your password every time you wake the computer or exit the screensaver.
If you have a broadband, always-on connection, you’re open to the Internet 24 hours a day. It’s theoretically possible for some cretin to use automated hacking software to flood you with data packets or to take control of your machine. MacOS’s firewall feature puts up a barrier to such mischief. To turn it on, click the on the Firewall pane in the Security & Privacy section of System Preferences, authenticate yourself, and then click Start.
Note
You don’t need to turn on this firewall if your Mac connects to the Internet through a wired or wireless router (including the AirPort base station). Virtually every router already has a built-in firewall that protects your entire network. (Similarly, if you’re using the Internet Sharing feature described in Making the Switch, then turn on the firewall only for the first Mac, the one connected right to the Internet.)
In short: Use the firewall only if your Mac is connected directly to a cable modem, DSL box, or dial-up modem.
Fortunately, it’s not a complete barrier. One of the great joys of having a computer is the ability to connect to other computers. Living in a cement crypt is one way to avoid getting infected, but it’s not much fun.
Therefore, you can turn the firewall on by opening System Preferences→Security→Firewall tab, authenticating, and then clicking Turn On Firewall. But you can also fine-tune the blockade.
To do that, click Firewall Options; you see something like Figure 13-15 at bottom. As you can sort of tell, macOS lets you allow or block Internet connections individually for each program on your Mac. Here’s what you’ll find there:
Block all incoming connections. This option might be better known as Paranoid Mode. You’re allowed to do email and basic web surfing and a few other deep-seated services that macOS needs to get by. But all other kinds of network connections are blocked, including screen sharing, iTunes music sharing, and so on. This is a hard-core, meat-fisted firewall that, for most people, is more trouble than it’s worth.
Bottom: This pane lists the programs that have been given permission to receive communications from the Internet. At any point, you can change a program’s Block/Allow setting, as shown here. You can also click the + button to navigate to your Applications folder and manually choose programs for inclusion.
Figure 13-15. Top: The macOS firewall starts with a simple button click. The fun stuff doesn’t begin until you click Firewall Options.
Tip
As you can tell from the wording of this item, macOS’s firewall blocks only incoming connections, which covers most of the dangerous stuff. But if you’d also like your Mac to block outgoing Internet connections, you can install a shareware firewall program like Little Snitch. It’s available on this book’s “Missing CD” page at www.missingmanuals.com.
[List of individual programs]. If the firewall is on but you haven’t turned on “Block all,” then the Mac uses this list of individual programs and features to determine what’s allowed to accept network connections.
In this window (Figure 13-15, bottom), features of macOS itself are listed. They get added to this list automatically when you turn them on in System Preferences: File Sharing, Printer Sharing, and so on.
Non-Apple programs can gain passage through your firewall, too. You can add one to the list manually by clicking the + below the list and choosing it by hand; or you can simply respond to the request box that pops up whenever a new program wants to accept incoming Internet connections.
Click Allow for each such request (unless, of course, you see a request for an app called SneakyPoisonVirus or something). As you do so, their names get added to the list of programs in this dialog box.
For each program, you can use the pop-up menu beside its name to specify either “Allow incoming connections” or “Block incoming connections,” depending on your level of paranoia.
Automatically allow signed software to receive incoming connections. Signed software means programs that Apple recognizes as coming from legitimate companies.
Note
OK, technically, a signed program is one whose authenticity is confirmed by a third party—a “certificate authority” company like Verisign or GoDaddy. A system of invisible keys (security numbers) confirms that the software did indeed come from the creators it claims it came from, no matter how many detours it took to reach you.
One more point: When you explicitly grant permission to a program, as described below, you’re signing that program.
If this checkbox is not turned on, then each time you run a new program for the first time, you’ll be interrupted so that the Mac can ask if it’s OK to permit Internet connections. The “signed software” box cuts down on the interruptions, since well-known apps are assumed not to be viruses or spyware.
Enable stealth mode. This is designed to slam shut the Mac’s back door to the Internet. See, hackers often use automated tools that send out “Are you there?” messages. They’re hoping to find computers that are turned on and connected full time to the Internet. If your machine responds, and they can figure out how to get into it, they’ll use it, without your knowledge, as a relay station for pumping out spam or masking their hacking footsteps.
“Enable stealth mode,” then, makes your Mac even more invisible on the network; it means your Mac won’t respond to the electronic signal called a ping. (On the other hand, you won’t be able to ping your machine, either, when you’re on the road and want to know if it’s turned on and online.)
Note
You might have noticed that there doesn’t seem to be any option to turn on firewall logging, which creates a little text file where macOS records every attempt that anyone from the outside makes to infiltrate your Mac. Logging is available, though—in fact, it’s turned on all the time. To view the log, open the Applications→Utilities→Console program. In the left-side list, expand the /private/var/log heading, and click appfirewall.log.
Plenty of software features require you to make up a password: websites, accounts, networked disks, and so on. No wonder most people wind up trying to use the same password in as many situations as possible. Worse, they use something easily guessable like their names, kids’ names, spouse’s names, and so on. Even regular English words aren’t very secure, because hackers routinely use dictionary attacks—software that tries to guess your password by running through every word in the dictionary—to break in.
To prevent evildoers from guessing your passwords, macOS comes with a good-password suggestion feature called the Password Assistant (Figure 13-16). It cheerfully generates one suggestion after another for impossible-to-guess passwords (recharges8@exchangeability, anyone?).
Figure 13-16. Anyplace you’re supposed to make up a password, including in the Users & Groups pane of System Preferences, a key icon appears. When you click it, the Password Assistant opens. Use the pop-up menu and the Length slider to specify how long and unguessable the password should be. The Quality graph shows you just how tough it is to crack this password.
Fortunately, you won’t have to remember most of them, thanks to the Keychain password-memorizing feature described next. The only password you have to memorize is your account password.
The information explosion of the computer age may translate into bargains, power, and efficiency, but it carries with it a colossal annoyance: the proliferation of passwords we have to memorize. Shared folders on the network, websites, FTP sites—each requires another password.
Apple has done the world a mighty favor with its Keychain feature. (It’s an earlier, not-Internet-based version of the iCloud Keychain described in Tip.) Whenever you log into macOS and type in your password, you’ve typed the master code that tells the computer, “It’s really me. I’m at my computer now.” From that moment on, the Mac automatically fills in every password blank you encounter, whether it’s a website in Safari, a shared disk on your network, a wireless network, an encrypted disk image, or an FTP (File Transfer Protocol) program like Transmit or Cyberduck. With only a few exceptions, you can safely forget all your passwords except your login password.
All kinds of programs and services know about the Keychain and offer to store your passwords there. For example:
In Safari, whenever you type your name and password for a certain web page and then click OK, a dialog box asks: “Would you like to save this password?” (See Figure 13-17, top.)
Figure 13-17. Top: Safari is one of several Internet-based programs that offer to store your passwords in the Keychain; just click Yes. The next time you visit this web page, you’ll find your name and password already typed in.
Note
This offer is valid only if, in Safari→Preferences→AutoFill tab, “User names and passwords” is turned on. If not, the “Would you like to save this password?” message never appears.
Note, too, that some websites use a nonstandard login system that doesn’t produce the “Would you?” message. Unless the website provides its own “Remember me” or “Store my password” option, you’re out of luck; you’ll have to type in this information with every visit.
When you connect to a shared folder or disk on the network, the opportunity to save the password in your Keychain is equally obvious (Figure 13-17, bottom).
You also see a “Remember password (add to Keychain)” option when you create an encrypted disk image using Disk Utility.
Mac email programs, like Mail and Outlook, store your email account passwords in your Keychain. So do FTP programs; check their Preferences dialog boxes.
Your iCloud account information is stored in the Keychain, too (as you entered it on the iCloud pane of System Preferences).
A “Remember password” option appears when you type in the password for a wireless network or an AirPort base station.
The iTunes program memorizes your iTunes Store password, too.
If you work alone, the Keychain is automatic, invisible, and generally wonderful. Login is the only time you have to type a password. After that, the Mac figures, “Hey, I know it’s you; your password proved it. I’ll fill in all your other passwords automatically.” In Apple parlance, you’ve unlocked your Keychain by logging in.
But there may be times when you want the Keychain to stop filling in all your passwords, perhaps only temporarily. Maybe you work in an office where someone else might sit down at your Mac while you’re getting a candy bar.
Of course, you can have macOS lock your Mac—Keychain and all—after a specified period of inactivity (Gem in the Rough: Automatic Login with the Apple Watch). But if you want to lock the Keychain manually, so that no passwords are autofilled until you unlock it again, you can use any of these methods. Each requires the Keychain Access program (in your Applications→Utilities folder):
Lock the Keychain manually. In the Keychain Access program, choose File→Lock Keychain “login” (
-L), or just click the big lock icon in the toolbar (seen in Figure 13-18).Choose Lock Keychain “login” from the Keychain menulet. To put the Keychain menulet on your menu bar, open Keychain Access, choose Keychain Access→Preferences→General. Turn on “Show keychain status in menu bar.”
Lock the Keychain automatically. In the Keychain Access app, choose Edit→Change Settings for Keychain [your name]. The resulting box lets you set up the Keychain to lock itself, say, 5 minutes after the last time you used your Mac, or whenever the Mac sleeps. When you return, you’re asked to reenter your account password in order to unlock the Keychain, restoring your auto-password feature.
Whenever the Keychain is locked, macOS no longer fills in your passwords.
Note
As noted, you unlock your Keychain using the same password you use to log into macOS, but that’s just a convenience. If you’re really worried about security, you can choose Edit→Change Password for Keychain [your name], thereby establishing a different password for your Keychain, so that it no longer matches your login password.
Of course, doing so also turns off the automatic-Keychain-unlocking-when-you-log-in feature.
To take a look at your Keychain, open the Keychain Access program in Applications→Utilities. By clicking one of the password rows, you get to see its attributes—name, kind, account, and so on (Figure 13-18, bottom).
Figure 13-18. In the main Keychain list, you can double-click a listing for more details about a certain password—including the actual password being stored. To see the password, turn on “Show password.” The first time you try this, you’re asked to prove your worthiness by entering your Keychain password (usually your account password). If you then click Always Allow, you won’t be bothered for a password-to-see-this-password again.
Tip
The primary purpose of the Keychain is, of course, to type in passwords for you automatically. However, it’s also an excellent place to record all kinds of private information just for your own reference: credit card numbers, ATM numbers, and so on. Simply choose File→New Password Item (if it’s a name and password) or File→New Secure Note Item (if you want to type a blob of very, very private text).
No, the Mac won’t type them in for you automatically anywhere, but it will maintain them in one central location that is, itself, password-protected.
By choosing File→New Keychain, you can create more than one Keychain, each with its own master password. On one hand, this might defeat the simplicity goal of the Keychain. On the other hand, it’s conceivable that you might want to encrypt all your business documents with one master password and all your personal stuff with another, for example.
If you do have more than one Keychain, you can view all of them by clicking the little Show Keychains button at the lower-left corner of the Keychain Access window; now you see a list of all your Keychains (including some maintained by macOS itself). Click their names to switch among them.