Update. Apple has published a security update to close this hole. [2017-11-29T18:00Z]
What’s the maddest, baddest, craziest, can-you-believe-it, how-did-that-happen security blunder of recent memory?
Companies contending for the top three spots in the past three months surely include:
- Uber. Suffered a breach, paid the hackers off, pretended it never happened, got found out anyway.
- Equifax. Permitted crooks to carry off personal data, including social security numbers, for about half of US adults .
- Apple. Let you read off the actual password of an encrypted device simply by clicking
[Show password hint].
Well, Apple just did it again, and this one is even zanier that before – so Cupertino may well be back in first place.
The default root login password is…
In High Sierra, the latest version of MacOS (currently at 10.13.1), you can easily guess the password for
root, the all-powerful system administration account.
The average number of guesses you need is…
In fact, strictly speaking you need ZERO guesses, because you almost certainly KNOW the password already.
Just login as
root with the password “”, by which we mean no password at all – just hit
[Enter]. (You may need to try more than once.)
We’re guessing either that Apple didn’t bother to set a password for root because you don’t usually login or authenticate as root, or that the authentication dialog incorrectly sets a blank password along the way.
The reason you don’t usually need to login as root is that macOS gets you to setup one or more regular accounts with Administrator powers, so these accounts can perform root-like activities as needed, by putting in their own passwords.
In theory, this is good for security because: you aren’t logged in as an administrator all the time; you don’t need to share a single root password amongst multiple administrators; and there’s accountability because admin activities are tied back to the user who initiated them.
In practice, of course, you need to have a password on the root account if it’s active, and ideally it should be randomly set when you configure the system, so no one knows it. (It’s much easier to stop someone using a password by mistake, or against policy, if they don’t have that password in the first place.)
Given that Apple doesn’t expect you to use the root account directly, it’s astonishing that you can so easily login as root at all, let alone with a blank password.
This is an epic fail by Apple, and all the world knows about it now, because it was disclosed publicly on Twitter rather than privately to Apple.
What to do?
You can easily set a strong root password of your own, so no one else knows it or can guess it.
The good news is that there’s an easy and safe way to check and fix this problem.
Open a Terminal window and enter the command
passwd root, which is how you set the root password in the first place.
Don’t worry – you can’t set a new password this way unless you already know the old one, so just hit [Enter] three times:
$ passwd root Old Password: [just hit enter to assume that it's blank] New Password: [hit enter again to leave it blank if it already is] Retype New Password: [hit enter a third time]
Note that if the old password isn’t blank, you don’t get an error message until the end, so if you see an error like this…
passwd: authentication token failure
…then you don’t have a blank root password.
However, it seems that this bug doesn’t reveal itself immediately – we’ve heard speculation that it’s by accessing the root account and failing that you trigger this problem in the first place – so try the above process several times in a row. (You can get the
passwd root command back by pressing the up arrow key, which replays previous commands in the Bash shell.)
If, on any attempt, you don’t see any message at all, then your root password has been set to the empty string, and you need to change that.
Run the same command again, but this time put in
[Enter] as the old password and choose a proper password for root:
$ passwd root Old Password: [just hit enter] New Password: ************** Retype New Password: *************** $
Technically, you don’t even need to keep a record of the password you typed in (though you can’t just type random garbage because you need to put the same password in twice).
You’ll still administer your Mac with your regular Administrator-enabled account by typing in your regular password when needed, just like before.
Check your Mac, and fix this now!
Note. We think that the default setup of macOS prevents you using this trick remotely. You must have physical access to the computer. Also, if FileVault (full disk encryption) is turned on and the Mac is shut down rather than logged off or locked, you have to enter the disk password before you can get at a login prompt at all.