Contrary to what Apple does with the setup program, the administrator account is not viable for daily use. There are too many things this account can do that you don’t want a script to be able to, such as cleaning out /Applications or various folders within /Library.Instead:
- Go make another account in System Preferences
- Make it an administrator
- Login with the new account and remove administrator rights from your original account
- Log back in with the original account
Tip #2: System Preferences is Not for Daily Use
- Require password to wake this computer from sleep or screen saver: This does exactly what it says. If you put the computer to sleep or have a screen saver setup then you’ll be asked for your user account information to unlock the computer. Use this, especially on portables. Of course, a restart will make this go away, so …
- Disable automatic login: This completely disables automatic login. Your system will startup to a login panel with a list of names. This is the most secure option because it doesn’t make the computer usable from a cold boot. If you know the system will log you in as a user with a restart, any security measure meant to prevent someone from having user-level access can be defeated with a reboot. Turn this on to prevent that.
- Require password to unlock each secure system preference: Notice how a lot of preferences have that lock at the bottom (like Network, Security, and Accounts)? Turning this on locks all of those by default, requiring an admin password (even for the admin user) to unlock. If you don’t do this, anyone can come right back to this preference pane and turn all of these settings off. Check it.
- Log out after __ minutes of inactivity: More annoying than useful to me, but if you tend to walk away from your computer and don’t mind losing your place in your work, turn this on. Locking the screensaver works well for me, instead.
- Use secure virtual memory: Turn this on. If this is off, then any time you enter a password it’s possible the system will write that password out in a block of memory it’s dumped to a file in /var/vm and, thus, makes the password recoverable. Using secure VM means those files are encrypted and it’s near-impossible to discover a user’s password from the swap files.
Tip #3: Turn off Services You Do Not Use
Go to System Preferences, then Sharing. Uncheck everything you’re not using, even if you think you will. Turn it on when you need it and turn it off when you’re done.
Tip #4: Outbound Calls Only, Please (Firewall)
Tip #5: Freeze the Credit Card (Keychain)
Yet, it has controls (again, turned off by default) that let you get around this. In Keychain Access, go to Edit and then to Change Settings for Keychain. You can do two things here: set an idle timeout, or tell it to lock on sleep. I prefer just locking on sleep, myself, because I rather depend on the screensaver to do the idle locking for my systems. Sleep, however, especially for portable users, means that the person waking the computer may or may not be the owner, and that’s prime time to start asking for passwords. Until a password is entered you won’t be on IM, or checking mail, or whatever else. Programs that use passwords will be locked from getting new data.
If your keychain password is different from your account password then you have an even greater level of security as the screensaver password won’t work for the keychain, and vice-versa.
Tip #6: Make a Good Password
The best password I’ve ever seen was someone that memorized a Windows license key and moved the sections around. Almost pure randomness, but ordered enough to remember. There are easier ways, and things you already know. For instance, do you know your car’s license plate? Know the plates of previous cars? Combine them in a memorable fashion, such as breaking them in half and merging two plates together.
Another popular method is to take two longish words and misspell them. That would result in something like “twinkel%unihorn” or “rut]row” or the like. Easy to remember, and hard to guess.
If that’s too simple for you, Keychain Access has a tool that helps make passwords, but since there’s no emotional investment in them they can be hard to remember (though, there is a phonetic method that makes near-English words as passwords). To get there pick New Password Item from the File menu and click on the lock icon (just one way; there are other ways to get to the assistant).