We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Apple security flaw: what to do if you’re affected

A glitch in Apple’s new operating system – High Sierra – could mean anyone can access your Mac without needing a password

Apple MacOS bug password

Apple is working to fix a security issue in the latest version of its operating system after it was revealed that anyone could gain access to a locked computer in their possession.

The bug affects Mac users who have the latest version of Apple’s operating system, called High Sierra.

A post on Twitter by tech developer Lemi Orhan Ergin revealed that someone could be granted unrestricted access to the machine by:

  • entering the username ‘root’ at the login stage;
  • leaving the password field blank;
  • then hitting ‘enter’ a few times.

In this mode, someone would be logged in as a ‘Root User’, which would give them additional privileges that a normal user wouldn’t have. Logged in as this, they could edit or delete crucial files and install malware that security software may not be able to detect.

This would, however, only be possible via physical access of the machine, and isn’t possible remotely unless remote access has already been given, for example, for tech support.

If you’re considering getting an Apple Mac, find out the laptops that have been rated for screen quality, sound, speed and battery power by reading our Which? laptop reviews.

How to temporarily fix your Apple account to protect it

After the glitch was spotted, Apple released the following statement: ‘We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorised access to your Mac.’

Here’s how it says you can enable the Root User and set a password for it:

Enable or disable the Root User

  1. Choose Apple menu and System Preferences, then click Users & Groups (or Accounts).
  2. Click the lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click the lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility:
  8. Choose Edit > Enable Root User, then enter the password that you want to use for the Root User.
  9. Or choose Edit > Disable Root User.

Log in as the Root User

Once the Root User is enabled, you’ll need to log in as the Root User. This will give you the privileges of the Root User.

  1. Choose Apple menu > Log Out to log out of your current user account.
  2. At the login window, log in with the user name ‘root’ and the password you created for the Root User.
  3. If the login window is a list of users, click Other, then log in.
  4. Remember to disable the Root User after completing your task.

Change the Root User password

  1. Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
  2. Click the lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click the lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility, choose Edit > Change Root Password…
  8. Enter a root password when prompted.

If a Root User is already enabled, to ensure a blank password is not set, follow the instructions from the ‘Change the Root User password’ section.

How to create a secure password for your Mac

Separate from this recent issue, it’s always a good idea to keep your Mac secure by setting a password.

You can create a login password by clicking Finder > Security & Privacy then the General tab. Here, you’ll be able to set a password that will then need to be entered each time you turn on or wake up your Mac from sleep mode or the screensaver.

When choosing your password, remember to avoid the really obvious choices (your name, the word ‘password’, or 1234, for example) – you’d be surprised how frequently these are picked. Here’s how to create a more secure password:

Use key phrases for passwords

Pick a phrase that’s personal to you and that you can remember. For example, ‘The quick brown fox jumped over the lazy dog’, then shorten it to the first letters of each word, which in this case would be ‘TQBFJOTLD’.

Switch characters and cases

Swap out some of the letters for numbers – the number 8 can be used instead of a ‘B’ – and make them a mix of upper and lower case letters.

Make the password unique

Don’t use the same password for every login you need. Personalise them by adding letters to the end that identify what site it’s for. For example, your Facebook password could have FB added to the end. Your email account could have EM added to the end.

See our guide for more useful tips on making the most of your Apple Mac, including how to remember your password for a certain website or program.

You can also get more advice by contacting the Which? Computing Helpdesk.

Back to top
Back to top