or:
Does enabling auto-login in OS X add any additional security risks?
How does this auto-login work? I'm not a security expert, but I imagine that such a procedure would require the password to be stored somewhere in plain text, right? But then this specific location could be exploited by malicious software.
Where is the password for the auto-login stored?
The setting I'm referring to is located at:
Users & Groups → Login Options → Automatic login
Best Answer
Yes. If you enable automatic login, the keychain password is stored in
/etc/kcpassword
using XOR cipher, which can be decoded easily. You need root privileges to read it though.sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'
Even if automatic login was disabled, the login password can be reset in single user mode. It doesn't change the password of the login keychain though. If someone logged in to your account after resetting the login password, they could access most of your files normally, but they couldn't log in on your account in Mail or use auto-fill in Safari. If automatic login was enabled, they could see your passwords with something like
security find-internet-password -s accounts.google.com -w
and use Mail and auto-fill.There was a vulnerability when automatic login was enabled:
The hash of the login password (which is usually also the password of the login keychain) is stored in
/private/var/db/dslocal/nodes/Default/users/username.plist
in 10.7 and 10.8. In 10.7 even relatively complex passwords could be cracked with DaveGrohl, but 10.8 switched to PBKDF2, which limits it to about 10 guesses per second per core.