Mac OS X Lion Passwords Are Super-Easy to Hack (and Change) by Any Local User

Illustration for article titled Mac OS X Lion Passwords Are Super-Easy to Hack (and Change) by Any Local User

You're constantly hearing about how you need to make sure to use a secure password, but what are you supposed to do if a hacker can just change your password without even cracking it? That's what users with physical access to your computer can do on OS X Lion right now.

A similar issue in previous versions of OS X allowed Admin users to access the "shadow files" that store OS X passwords, but in Lion, non-Admin users can access the hash and salt data for passwords, which shouldn't be possible. But that's not all—it seems Directory Services in Lion don't require authentication when requesting a password change for the current user, so even if the encrypted hashes aren't cracked, the password can still be changed.

CNET's got a detailed list of ways to lock down your system until Apple releases a patch, but for now, like disabling auto-log-in, enabling sleep and screensaver passwords, and disabling guest accounts; but the long and short of it is that anyone with physical access to a Mac running Lion can access and change your password relatively easily. So be careful with that, eh? [Defence in Depth via CNET via Techmeme]

Share This Story

Get our `newsletter`


Anyone with physical access to any *nix machine (MacOS included) can simply start up in single user mode (which gives you a root shell) and do any damn thing they want. Actually, that goes for Windows as well, since you can just boot off of an external *nix boot device and have at the contents of the hard drive.

Does the problem with a non-admin user being able to change the passwords of other users from within their login session still have to be fixed? Sure. But the impact of this issue is being blown all out of proportion for the clueless masses.