Simple Things to Do Right Now | The Mac mini Guidebook A practical, hands-on book for everyoneincluding Windows usersmoving to Apple's compact computer

Here is a list of some very simple things you can do right, this very moment, to make your Mac mini better protected from the various forces of evil arrayed against it. The first two suggestions are really important.

1. Turn off automatic login

I know it's convenient not to have to enter a password when you start your computer. But unless you trust everyone who might have access to your Mac mini, you should require a password to start the machine.

Protect yourself: Go to the Mac OS X Accounts System Preferences pane and deselect the "Automatically log in as" option (Figure 7.1).

Figure 7.1. What's wrong here? If you expect any measure of security, you must disable automatic login. So you will see it, I've allowed it here, but I immediately unchecked it as soon as I grabbed the screen image for this book. Remember: Keep this check box clear. You can disable automatic login for all users in item 3, below.

2. Create individual user accounts

Give everyone who uses your Mac mini a separate account, and no one will be messing around while logged in as you. Messing around includes looking at your files and installing software.

To add an account, go to the Mac OS X Accounts pane and click the + sign. Note that you can limit what can be done from each account, including what applications the person using the account can run and whether the account user can change any settings. New in Mac OS X 10.4 Tiger are parental control settings (Figure 7.2).

Figure 7.2. Once you create a user, you can select the parental controls you want to invoke. These can limit who the user exchanges e-mail with and what Web sites the user can visit and can even screen some profanity from the Dictionary application.

3. Require a password when your Mac mini wakes up from sleep or a screen saver

When you walk away from your machine, it may hide your work by launching a screen saver or going to sleep, but it will wake right up if someone touches your keyboard. Once awake, your Mac is wide open to exploration by, well, anybody who can get to it.

Protect yourself: Go to the Security System Preferences pane and select "Require password to wake this computer from sleep or screen saver." Now when your machine wakes up, you will be asked for your password to resume work.

Also disable automatic login, which will prevent any user from logging in automatically. (See Item 1.)

Hint: You can set how long the machine must sit idle before the screen saver or sleep mode kicks in. You want it to be short enough that your machine doesn't spend large amounts of time unprotected when you're away but long enough that you don't have to keep reentering your password because the screen saver starts every time you get a phone call (Figure 7.3).

Figure 7.3. The Security System Preferences pane allows you to change a number of settings affecting all users of your Mac mini. It's important to require a password to wake up the computer and to keep your FileVault master password secure (yet memorable). This is also where you can prevent any user from automatically logging in.

4. Use FileVault

FileVault is a feature built in to Mac OS X that can encrypt your home folder. This encryption completely protects your files even if someone steals your computer. To use FileVault, visit the Security System Preferences pane. Note that if you are the administrator of your Mac mini, you will be asked to create a master password that can open any user's FileVault-protected home folder. This master password is used when the user forgets his or her own password or when the administrator wants to see what a user has been doing. Thus, FileVault offers complete protection only if you are the administrator. Also, FileVault automatically opens the encrypted home folder when the user logs in, so anybody who has the user's password has access to the user's files.

Remember to keep the master password safe (Figure 7.4).

Figure 7.4. Read and heed the warning about what happens if you lose your master FileVault password.

5. Use a more secure password

I don't know any "normal" people who use proper passwordsthat is passwords that essentially look like random characters and are at least 10 characters long. The problem with these passwords is that they are almost impossible to remember so users write them down, sometimes on Post-it notes stuck to the computer itself.

My recommendation is to use multiple passwords. Have one to use in circumstances where you don't mind giving the password to friends or co-workers. At the other extreme, have a password you wouldn't tell your priest.

For your most secure password, avoid dictionary words, names, and any information that might be discoverable about you. This includes your mother's maiden name, old street addresses, and telephone numbers. Never use your social security number for anything. Use a collection of letters, numbers, and characters. Perhaps this will be something you can refer to later so you can remember where the password came from even if you can't remember the password itself. An example might be the first letter from every line in a favorite poem with some numbers or punctuation thrown in.

6. Completely erase your files

When you empty the Trash on your Mac mini, you make filenames disappear, but the data remains on your hard drive. From the Finder menu, select Secure Empty Trash (Figure 7.5), and your Mac mini will both empty the Trash and write over the files so they are unreadable with file recovery software.

Figure 7.5. Here's how you make sure your trash is really gone. Selecting Secure Empty Trash from the Finder menu both dumps the trash and overwrites the files you've thrown away.

7. And for the really paranoid…

I won't talk about this in detail, but you can set a password that must be entered before your Mac mini will boot up (and way before you normally enter your password). To find out how to set an open firmware password, visit the Apple Web site and do a search. If you forget this password, you are really hosed, okay?