If you are like most people, you have just one user account on your Mac, the one created when you first got your computer. As the only user, you are also the administrator and you are allowed to do things like install applications. Most likely your username is your real name all run together, like “tonyedwards”. Although this is the way that most Mac users are setup, it’s terribly insecure for a couple of reasons.
Let’s say that, for whatever reason, you leave your computer unattended. A person who knows or can guess your password comes by. They awaken the computer from sleep to login, click on your user account and enter your password. They can then go to System Preferences and turn on services to let them access your computer remotely, access and alter your Keychain password or even create a new admin user for themselves and use it to change your password.
Even more likely, though, the person who will compromise the security of your Mac will be you. Let’s say that you want to download an application from an unknown website. Although the actual download link is shown on the page, you click a big “Download Now” button instead. Your browser is set to automatically open the download which, in this case, is something annoying or malicious, like MacKeeper. A window comes up showing you your username and asking for your password, which you enter without thinking.
Fortunately, it’s fairly easy to make things fairly difficult for the bad guys while avoiding “pilot error” mistakes by using a standard user account. As standard user account does not have the ability to make changes to your computer, like installing applications or modifying system preferences. But, when you do need to do those things, you can do so without having to log out first. Here’s a step-by-step tutorial on how to setup a standard user account for yourself.
First, we need to create a new user account which will be used solely for administering your Mac. From the Apple Menu, choose “System Preferences”.
Click on “Users and Groups”.
Click the lock in the lower left-hand corner to make changes.
Enter your administrator password. Notice that because you are logged in as the only administrator, your username is visible.
Click on the plus sign at the bottom of the sidebar on the left to create a new user.
Here’s where we tighten up our security. From the pull-down menu at the top, choose “Administrator”. For the “Full Name”, you can add your own name, but it has to be different from your present account because you can’t have two users with the same name. For example, instead of “Tony Edwards”, I’d choose something like “Tony Edwards Admin”. It doesn’t matter if it’s long because you won’t ever have to type it out.
However, for the “Account Name” you want to choose a name or word that is totally random, but completely memorable, like “sugarlumps”. Yes, I’m sure you can do better. Enter your new account name.
If you have been using your iCloud password for admin purposes, you can do so here as well. If you are using a made up password on your present account, you can add it here, or you can come up with a new one for extra security (Now might be a good time to upgrade your password to something harder to crack, but easy to remember.). Click “Create User”.
Go to the Apple menu and choose “Log Out (your user name)”. You will then be able to log in to new user you just created using the new user name and password.
Now, we need to downgrade your normal account from administrator to standard privileges. Go to the Apple menu and again choose “System Preferences”, and click on “Users and Groups”. Click the lock to make changes, then enter the user name and password for you new admin user. In the sidebar, click on your old user account to choose it, then uncheck the box that says “Allow user to administer this computer”.
You can now log out of your admin user and back into your standard user account. If you take one final trip to Apple menu > System Preferences > Users and Groups, then click the lock to make changes, the credentials window will look different.
See, no username or password are revealed. So even if someone has your password, now they need to know the admin password as well. Following our example, you would enter “sugarlumps” as the username and your normal (or new) password.
And, hopefully, when you see this, you will stop and ask yourself, “Wait a minute. Is this something I really want to do?” For example, in the MacKeeper scenario above, before you enter your credentials, you want might take a peek in your Downloads folder to see the actual name of the file you are about to launch.
Good job! You’ve just tightened up security on your Mac!