My MacBook Air recently had to be sent back to Apple for service to replace a faulty logic board and hard drive. On the rare occasions in the past where I’ve had to send my Mac in for service, there has always been some warning or some steps I could take to prep my computer for service. In this instance, the failure was instantaneous. Working one moment, non-responsive the next and I was never able to bring the machine to a state where I could access data or make modifications. I knew it was standard procedure, but I cringed when the AppleCare service rep asked me for my administrator account password. The keys to the kingdom. My entire life was on that machine and giving up my admin password could mean giving a nefarious person the command codes to my entire life. I tried to talk my way around giving up my password to no avail.
As companies go, I probably trust Apple more than most with this information. I’ve been told by people inside the company their confidentiality and data disposal policy is very strong. Still, the thought still made me uneasy. While the hard drive alone would likely be of minimal value - the combination of the hard drive and the admin password could be disastrous.
Fortunately, some of the precautions I put into place prior to the hardware failure should have served to protect my most confidential data in the unlikely event of a data breach. This incident has also started me thinking about what steps could be taken in advance to protect data when your Mac is at its most vulnerable, when being sent in for repair. Here’s what I’ve come up with so far:
- Use a secure password manager and set the password to something other than your login password. I’ve preached at length about the need to have unique, secure passwords. But that’s only good if the key to your password manager is secure as well. Obviously, it should not be the same password as your login password. If someone has an admin password for your Mac, that will be the first thing they try.
- Use the features of your password manager. It surprises me how many people use a solution like 1Password or another password manager to store their passwords, but don’t truly take advantage of all the features such as strong password generation or finding and eliminating similar or weak passwords. Your passwords should all be unique and random. Don’t repeat passwords across sites, ever.
- Consider using disk encryption. I’ve never been a great fan of FileVault but it seems to come of age with the release of Mac OS Lion. My biggest complaint about disk encryption solutions is that it seems to create some problems with my other favorite utilities, backup utilities. So you may have to play a little give-and-take here to find a workable solution. Just keep in mind, in the case of FileVault, once you give up that admin password, you’ve just unencrypted FileVault. In the case of an alternative solution like PGP, you’re likely going to have to un-encrypt to properly diagnose and work on your machine.I’m very eager to see what changes Apple has made with FileVault in Lion and what better protections that will offer.
- Use secure disk images. You can create secure disk images for your most sensitive files. Files stored in secure disk images are inaccessible without the disk image password, regardless of whether someone has access to your account. The only problem is that these images typically are stored as a single file, sometimes as a bundle. So if the image becomes corrupt you can lose all your data inside. Backups are important.
- Use an alternative admin account. If Apple wants an administrator password, this will allow you to give them access to a password that is not your primary account. This will offer you some additional protection. I also like the idea of having a fresh clean user account for troubleshooting purposes. Setup a password for this account that is unrelated to any of your other passwords so your other passwords aren’t compromised if you have to give it out.
- Change your default keychain password. Passwords for many items are stored in your login Keychain. Mail accounts, wireless routers, etc. By default, your login Keychain password is the same as your login password. Changing this password makes using your Mac a bit of a pain because to really do anything with your Mac you’re going to have to punch in yet another password to unlock your keychain too. As with everything, security is a balance between security and user-friendly usability.
- Consider the security offered by the cloud. This may sound counter-intuitive but if you have sensitive items stored in a cloud-based solution like Dropbox, you can usually use the web interface for the cloud solution remove files from the computer next time it tries to connect. The options vary by service, but it’s something worth checking out.
- Look at security services. If your Mac suffers a hardware failure, many software based solutions will likely not work. However it’s an option worth considering for other situations. Apple may make this easier as there are rumors of a “Find My Mac” feature in Lion.
- If you have a special situation, explain it and ask. While not common procedure, especially if you are taking your Mac for repair at a local facility, you may ask the Tech or management for the return of your original hard drive or proof it was destroyed. This is more difficult when you ship your machine away, but still may be possible. Be prepared that you may have to pay for the defective part. For example, I had a defective Time Capsule replaced under AppleCare a few years ago but the defective unit still worked well enough to access data. While I had to take the functioning Time Capsule into Apple for diagnosis, the Manager (with a credit card hold) allowed me to take my old unit home for 24 hours so I could perform a secure erase on the hard drive.
This is by no means a comprehensive list of security precautions you can use with your Mac, nor is it intended to be. For a review of that topic, I suggest you check out Mac Power Users Episode 10: Mac Security. This post was directed to steps you an take to make your Mac more secure whens sending it off for service. If you have thoughts or suggestions, please leave a comment to this post so others can benefit.