Find my Mac passcode lock brute-force attack: What you need to know!

When Apple launched Find my Mac as an extension to their Find my iPhone system back in October of 2011 they included the ability to lock a Mac down so that it couldn't be accessed or rebooted into alternate modes. The lock, however, was implemented using a simple 4-digit passcode (PIN). That meant, with only 10,000 possible combinations, the passcode was susceptible to brute force attack. That's nothing new. It's been known since the start. What's new is that automated tools have now been developed to make the attack both easier and faster, and they're being reported on without a lot of context. So, is it something you should worry about?

A 4-digit passcode is the same basic type of protection offered on iPhone and iPad, but iOS devices are far more difficult to brute force and so far — outside of jailbreak — haven't been susceptible to automated attacks. Also, iOS offers the option for a much more secure, much stronger alphanumeric password to be set on the device.

With automatic login turned off on your Mac, entering the Find my Mac passcode will simply reboot the machine into the OS X login. That password should be more secure than a passcode anyway, and at the very least is an additional layer of protection.

An attacker with the physical access to your machine required to brute force a Find my Mac passcode also has the access required to crack the casing open, rip out the disks, and mount them on another, unlocked machine to access your data that way. That is, of course, unless you have FileVault disk encryption enabled. (FileVault, by the way, removes automatic login as an option.)

If you have both a strong OS X login password and FileVault encryption set up on your Mac, then you only ever have to use Find my Mac's lock feature if you've left your computer logged in and unattended and have a sudden reason to fear for its security. In that case, it works fine and any attacker intent and sophisticated enough to brute force the passcode would be greeted by the awesome OS X head-shake animation and a bunch of gobbledygook on the drive.

If you've inexplicably decided not to disable automatic login and use FileVault, and you have to use the Find my Mac lock feature to keep someone from getting into your computer, then, yes, a sophisticated attacker could either brute force your passcode or simply rip out the disk.

I'm not sure if Find my Mac's lock forces an OS X login even if automatic login is enabled — all my Macs have FileVault on so I can't test it. I'd be tempted to say even the option for weak, remote passcode protection on OS X is better than the lack of any similar option on other systems but, drive yank.

So, there are three take-aways here:

  1. You should, If you're worried about security, disable automatic login. You should also, if you have data you absolutely want to keep safe no matter what, turn on FileVault. That will stop anyone this side of a billion-dollar supercomputer from getting to your data even if they have physical access to your drive. Sure, that's less convenient but security is sometimes more important than convenience.
  2. Apple should provide the option for a stronger, alpha-numeric password for Find my Mac locks. Sure, that would increase the chances of a person using the lock and forgetting the password, especially in a panic. However, since passwords have to be confirmed, anyone who switches to the advanced option should be able to retain the password thy enter long enough to mark it down somewhere safe.
  3. People who publish articles on Apple security, especially in the post-SSL/TSL bug climate, should do their best to provide proper context and threat assessment along with it. Sure, informing people is vital. Scaring them disproportionately is not.

Are you using the OS X login and FileVault currently and, either way, does Find my Mac being restricted to a 4-digit passcode concern you?

Nick Arnott and Anthony Casella contributed to this article.

Latest And Best Prime Day Deals

Amazon's Fire TV Cube is down to just $70 thanks to this Prime Day deal
Amazon Fire TV Cube
$69.99 $119.99 Save $50

Save $80 on the Neato D4 robot vacuum during this Prime Day Lightning deal
Neato Robotics D4 Alexa-enabled laser-guided robot vacuum cleaner
$319.99 $400.00 Save $80

Time is running out. And so is the supply. Grab it while you can.

Grab TCL's 32-inch 720p Roku TV for less than $100 in this Prime Day Lightning deal
TCL 32S325 32-inch 720p Roku TV
$99.99 $130.00 Save $30

Act fast while you can. These Lightning deals tend to sell out quick.

The Ring Alarm security system is reaching new low prices for Prime Day
Ring Alarm home security systems

Various configurations of the Ring Alarm are discounted to their best prices yet exclusively for Prime members at Amazon through Tuesday night to help keep your home secure.

The Sonos Beam Prime Day deal includes a $40 discount and 2 $50 Amazon gift cards
The Sonos Beam Prime Day deal includes a $40 discount and $100 in Amazon gift cards
$359.00 $499.00 Save $140

That's just so much savings in one deal. You'll have to wait for the physical gift cards, but that's basically $100 to spend however you want.

Prime Day dropped this PlayStation 4 console bundle to just $250
PlayStation 4 Slim 1TB console with Marvel's Spider-Man and Horizon Zero Dawn
$249.99 $359.98 Save $110

This deal on the PlayStation 4 Slim console saves you $50 off its regular price while also including Marvel's Spider-Man and Horizon Zero Dawn Complete Edition for free. You'll just need an Amazon Prime membership to snag it.

The newest device in the Echo family, the Show 5, is now down to just $50
Echo Show 5
$49.99 $89.99 Save $40

It's only been on the market since May, but it hasn't escaped the Prime Day price cuts.

Amp up your home security with these huge Prime Day discount on nearly all Ring products
Save on Ring products today only

Whether you need a video doorbell, whole home alarm system, or some lights to brighten a dark area, Amazon has it all marked down today!

More Prime Day Deals