I’ve been eagerly reading previews of Mac OS X 10.1, and reading comments in forums by users who “acquired” a copy of a beta build, and I’ve noticed this really annoying bit of security folk wisdom that has now engrained itself in the mac community. (I’d link to examples, but it’s not worth it — if you read Mac news sites at all, you’ve seen what I’m talking about)
The story goes something like this: “The new login screen, which optionally displays a list of users on the system, reduces the security of the system by an exponential factor, because instead of having to guess a login and password, a cracker only has to guess a password thanks to this list of user names.”
Hooey! For starters, <deadpan>Microsoft is doing the same sort of
login welcome screen in Windows XP, and Microsoft knows how to make a secure operating system.<deadpan>
But seriously, this isn’t a “gaping security flaw that must be addressed before 10.1 ships,” as so many wanna-be security experts like to tell naive readers to make themselves sound smarter in the eyes of untrained Mac users. The first reason is simply that it’s a necessarilly optional feature, as it would be inefficient for a computer lab with hundreds or thousands of users to have an list of users. So if you’re that worried about it, turn it off, and then nothing I say below applies anyway.
In such a multi-user lab environment is exactly where a list of logins might be a security problem. But in that environment, most would-be attackers will already have an account, and a would be attacker will have one of two targets — either the system, or another user’s private files. Taking the system automatically gets him another user’s data, but it’s also more likely to be noticed, and will probably be harder. So as far as getting private data (or gaining access to another account as the launching point of another attack, or what have you) — well, if he’s got an account on the system, it’s trivially easy for the attacker to find out the names other accounts on the system. Further, if he’s after someone’s private files, he probably has a specific target in mind, in which case he already knows the target login.
And so the one case in which an attacker might use the login list (aka, the “security hole”) to crack a system is when the attacker does not already have an account. And in that case, trying to brute force passwords is not the most effective way of gaining access, mainly because brute forcing passwords will almost certainly be noticed (assuming attentive admins). A determined attacker in a multi-user lab environment is going to be able to get access to an account with a trivial amount of social hacking, because users are dumb.
Admittedly, if users weren’t stupid, the social hacking wouldn’t procure an account as easilly. But of course, if users weren’t stupid, they would have better passwords in the first place, and brute forcing a password would be harder, and the utility of a list of logins would go back down just as quickly as it went up.
Why did I focus so much on the case of the multi-user lab environment? Because to see the list of logins, an attacker will need to physically see the machine. And it’s mostly beside the point, but most remote system exploits don’t even need to know about any particular user other than root, or otherwise default logins, and so the login-screen serves no utility to a remote-attacker.
So the more subtle reason that the login screen listing account names isn’t actually a showstopping security flaw is becuase to see the list of logins, an attacker need to be physically in front of the machine, and once an attacker has got physical access to a machine, the show’s over and the monkey’s dead.