Securing a computer is a balancing act. On one hand, if you go for complete security of your data, you’ll be annoyed by repeated password entries and other hassles. On the other hand, if you rid yourself of even a few of those pesky little hassles, it compromises security.
If you wondering why it even matters, think about what you have on your computer right now. I bet you have easy access to your email account(s), photos, probably a year or more of your browsing history and logged in sessions for your online banking, and who knows what else.
Would you hand your computer to a stranger, walk away for an hour and let them dig around? Of course not. Losing it or having it stolen is the same thing except it’s more than an hour, and the person with your laptop is going to be looking for more than your bathroom selfies.
It’s all about balance
I’ve got what I think is a pretty good balance now. Here’s how I’m set up:
I have a good user account password for my MacBook. It’s long, contains things other than lower case letters but it’s still memorable enough that I can type it in if required.
The user account password on a Mac is almost useless if someone gets physical control of your computer as it can be bypassed without much effort. With that in mind, I also have a firmware password set. My firmware password is not the same as my user password, it isn’t very memorable and I store it safely in 1Password in case I ever need to use it.
I also have FileVault full-disk encryption enabled. That means my full hard drive is encrypted and protected from prying eyes, even if someone clones the drive or steals my whole computer.
None of those things do much if I leave my Mac logged in and unattended. To mitigate this risk, I have fairly aggressive screensaver and lock settings. My screensaver starts after one minute and my computer locks five seconds after the screen saver is activated. Closing the lid puts my Mac to sleep and locks it immediately.
For example, if I’m sitting at my desk and don’t interact with my Mac for a minute, the screensaver starts. I have five seconds to flick the trackpad and clear the screensaver before it locks my Mac, requiring the password.
When I leave my desk, my computer is vulnerable for the first minute and five seconds which is probably not the end of the world where I work. I sometimes use the “hot corners” feature of macOS to instantly start the screensaver if I am leaving my desk, or I use Alfred to quickly start it from the keyboard.
The ‘key’ to reducing password entry annoyance
Entering my user password a few dozen times a day is a bit of a pain point, so I invested in a Yubikey 4 USB key. This little device works with macOS Sierra and when it’s plugged in to one of the USB ports on my Mac, the requirement for my user password is reduced to a requirement to enter a 6-digit numeric pin which is quick and easy to type.
As noted above, I also use 1Password to help keep all my online accounts secure. I have unique, long, unmemorable passwords on every online service I use, and I rely on the 1Password browser extension to log me into the various accounts on my Mac and the 1Password app on my iPhone.
The Yubikey 4 offers some additional convenience for 1Password. While there isn’t the full support I’d like for these type of hardward keys, the Yubikey 4 in particular can store a static password that it will enter on demand by pressing a button on the key.
I have my 1Password password stored in the Yubikey and when the 1Password extension asks for my password, I touch the button on my key for a few seconds and the Yubikey 4 types the password in for me, and hits enter. That allows me to to set the lock delay for 1Password to a much shorter duration as it removes the annoyance of having to type a long password in every time I want to use the extension.
Overall I’m finding this to be a workable balance. My MacBook Pro is locked and secured behind good passwords when it is unattended. When I do need to log in, the Yubikey makes it much less annoying by lowering the requirement to a PIN.
If my laptop is stolen while closed, I’m covered. The data is encrypted and locked away. My user account is safe. Inside the office, my data is safe from snoopers by enforcing a quick account lock. I never store the Yubikey with my MacBook unless it’s plugged into the USB port. If I leave my MacBook on my desk at the office, I take the Yubikey with me. When my MacBook is in a bag over my shoulder, the Yubikey is in my pocket on a keyring.
Total investment was about $40 USD for the Yubikey, $5USD/month for 1Password Family, and some time getting the various screensaver and lock timings set up.