Many Mac news sites and blogs are reporting about a way that someone can gain access to your Mac without your password. However, the danger is usually overstated as someone needs physical access to your Mac to use the exploit. In this video I'll show you the problem and also a simple way to prevent it. However, Apple will probably have a fix for this in the next few days or even hours.
Video Transcript / Captions
Closed captioning for this video is available on YouTube: The Root Password Hack Explained.
So I've been getting a lot of questions about this root password hack that people have been talking about in the news. It's not as dangerous as it sounds. The important thing to realize is that somebody needs physical access to your Mac. You need to be sitting down at your keyboard for this to get them anywhere. So unless somebody breaks into your house or steals your MacBook or something like that then it's not an issue.
A lot of the news reports make it seem a lot worse than that but needing physical access, well if they have physical access to your Mac there's already a whole bunch of problems you've got. So here's how it works.
I'm in Mac OS High Sierra using version 10.13.1. So I'm going to go into System Preferences and then I'm going to go to some place where I need to authenticate. So Users and Groups, I'll choose that. Authenticate means click this padlock to give you access to more things. So I'll click the padlock. It asks me for user name and password. This should be the second time you need to enter your password because you need it to enter it in in order to get access to your Mac in the first place. But it does this to be extra secure in case somebody came and sat down at your Mac that has physical access while you're logged in.
Now you have to change the user name to root. R O O T. And the password to nothing. You actually have to click in the field. At least that's what I hear. Then click unlock. It usually doesn't even work the first time. But in this case it worked the second time. What that did was it enabled the root user, so a user with the name root and a blank password. Now that that's done somebody could actually log in using root and a blank password and do anything they want to your Mac.
Of course they are already logged in here when they're doing this so there's already a lot they can do to your Mac and you already have problems if they're even that far that they could have done that. Now there are reports that this can happen even in the login screen. So if they're not logged in. So they have physical access to your Mac but they're logged out. But I haven't been able to replicate that. However, enough reports are out there people saying they can do that even though there's at least one major site that says that you can't do it in the login screen. So it's a little confusing. Maybe it's because I've got FireVault enabled. Maybe some other things I've got set that I can't do it and a lot of people can't do it.
So it's debatable whether or not you can get in if you have physical access but aren't logged in. You can definitely do it if you have physical access and are already logged in as I just did it. So let me show you how you can completely disable this so it doesn't even work. You don't have to wait for Apple to update a patch which probably will come out in the next few days. It can be even later today.
So let's start over again. You want to just disable this to protect yourself. You're going to go to System Preferences. Then you're going to go to Users and Groups. Next you're going to click Login Options. Now all this is grayed out. Because you need to authenticate. Click the padlock and authenticate with your account password.
Now that you've authenticated you have access to all of these controls. The one you want is the Join button. When that comes up don't worry about the actual join functionality. You're just going to hit this Open Directory Utility button. This launches another app. Now I could've skipped a lot of this and gone directly to the Directory Utility app. You can run it. You can find it in Spotlight and everything. But most people seem to be showing it this way through System Preferences so I'll do that as well.
Now you're going to want to click the padlock again to authenticate one more time. Now that you've authenticated that padlock is unlocked. Again you don't want to do anything here in Directory Utility. You're actually looking for the special commands under Edit. One is called Enable Root User. So you want to enter a password here. So create a password. Make sure it's secure. Some random numbers and letters. The great thing is you don't actually need to remember this password. Why? Because you can always return here using your Admin password and change the Root User Password without knowing the original and disable the root user completely. So if you forget the password it's no big deal. So you write it down somewhere and don't worry about it.
Now that you've done this, now that you've set a root user password, now you're protected. Nobody can use this exploit because there's already a root user password set. A blank won't work. So this is the work around. So just do this if you're concerned but of course again is somebody has physical access to your Mac then you've got other concerns besides this. I kind of equate this to if you have a safe in your house and you suddenly find out that it's easy to open the safe without knowing the combination. But somebody still needs to break into your house in order to get access to the safe. So you can see how it's maybe not that big of a concern that you want to fix it right away before doing anything else. Apple is probably going to come out with a patch for this really quickly since it's such a big news item. A lot of big scary news headlines even though it's really not that scary of a hack.
So I've been getting a lot of questions about this root password hack that people have been talking about in the news. It's not as dangerous as it sounds. The important thing to realize is that somebody needs physical access to your Mac. You need to be sitting down at your keyboard for this to get them anywhere. So unless somebody breaks into your house or steals your MacBook or something like that then it's not an issue.
A lot of the news reports make it seem a lot worse than that but needing physical access, well if they have physical access to your Mac there's already a whole bunch of problems you've got. So here's how it works.
I'm in Mac OS High Sierra using version 10.13.1. So I'm going to go into System Preferences and then I'm going to go to some place where I need to authenticate. So Users and Groups, I'll choose that. Authenticate means click this padlock to give you access to more things. So I'll click the padlock. It asks me for user name and password. This should be the second time you need to enter your password because you need it to enter it in in order to get access to your Mac in the first place. But it does this to be extra secure in case somebody came and sat down at your Mac that has physical access while you're logged in.
Now you have to change the user name to root. R O O T. And the password to nothing. You actually have to click in the field. At least that's what I hear. Then click unlock. It usually doesn't even work the first time. But in this case it worked the second time. What that did was it enabled the root user, so a user with the name root and a blank password. Now that that's done somebody could actually log in using root and a blank password and do anything they want to your Mac.
Of course they are already logged in here when they're doing this so there's already a lot they can do to your Mac and you already have problems if they're even that far that they could have done that. Now there are reports that this can happen even in the login screen. So if they're not logged in. So they have physical access to your Mac but they're logged out. But I haven't been able to replicate that. However, enough reports are out there people saying they can do that even though there's at least one major site that says that you can't do it in the login screen. So it's a little confusing. Maybe it's because I've got FireVault enabled. Maybe some other things I've got set that I can't do it and a lot of people can't do it.
So it's debatable whether or not you can get in if you have physical access but aren't logged in. You can definitely do it if you have physical access and are already logged in as I just did it. So let me show you how you can completely disable this so it doesn't even work. You don't have to wait for Apple to update a patch which probably will come out in the next few days. It can be even later today.
So let's start over again. You want to just disable this to protect yourself. You're going to go to System Preferences. Then you're going to go to Users and Groups. Next you're going to click Login Options. Now all this is grayed out. Because you need to authenticate. Click the padlock and authenticate with your account password.
Now that you've authenticated you have access to all of these controls. The one you want is the Join button. When that comes up don't worry about the actual join functionality. You're just going to hit this Open Directory Utility button. This launches another app. Now I could've skipped a lot of this and gone directly to the Directory Utility app. You can run it. You can find it in Spotlight and everything. But most people seem to be showing it this way through System Preferences so I'll do that as well.
Now you're going to want to click the padlock again to authenticate one more time. Now that you've authenticated that padlock is unlocked. Again you don't want to do anything here in Directory Utility. You're actually looking for the special commands under Edit. One is called Enable Root User. So you want to enter a password here. So create a password. Make sure it's secure. Some random numbers and letters. The great thing is you don't actually need to remember this password. Why? Because you can always return here using your Admin password and change the Root User Password without knowing the original and disable the root user completely. So if you forget the password it's no big deal. So you write it down somewhere and don't worry about it.
Now that you've done this, now that you've set a root user password, now you're protected. Nobody can use this exploit because there's already a root user password set. A blank won't work. So this is the work around. So just do this if you're concerned but of course again is somebody has physical access to your Mac then you've got other concerns besides this. I kind of equate this to if you have a safe in your house and you suddenly find out that it's easy to open the safe without knowing the combination. But somebody still needs to break into your house in order to get access to the safe. So you can see how it's maybe not that big of a concern that you want to fix it right away before doing anything else. Apple is probably going to come out with a patch for this really quickly since it's such a big news item. A lot of big scary news headlines even though it's really not that scary of a hack.
Update: Apple security update 2017-001 fixes this. Released today. Go to the App Store, Updates to get the patch. https://support.apple.com/en-us/HT201222
Amazing
Gary,
Thanks for the clarity of explanation!
You’re so good at explaining this stuff, you should do it of a living. :)
RSD
Gary,
Sorry for the auto-correct misspell in my comment above…
I meant to say:
You’re so good at this stuff, you should do it for a living. :)
Apple did release a fix for the “root password hack” but apparently that fix caused another problem, as reported here and many other sources: https://www.engadget.com/2017/11/30/apples-high-sierra-security-patch-affected-mac-file-sharing/ . This morning I saw, on software update, that there was another patch from Apple to download and install.
Thanks for the explanation! Question: is it necessary to “disable root user” after we’ve followed your steps? Or does it matter? Thanks!
Robbie: None of it matters now, since Apple has patched the problem. With the patch in place, I would disable root user if you don’t need it.