20

Unfortunately, someone stole my laptop (a MacBook) and I did not realize that for 48 hours. Now, this was a work laptop and my company's security team is going to wipe the laptop remotely as soon as it connects to the internet. Which is nice.

However, what I am worried about is more about what could happen in those first 48 hours.

  1. My passwords were all over the place (auto-fill on my browser, etc.)
  2. My Evernote had some good amount of passwords

What I am guessing is that since it was stolen from my car, someone stealing it was interested more into selling parts of it or wipe it off and re-sell it (the hardware, not the data). At least, I hope that.

Now, in the worst case scenario, assuming it was stolen by a person who is dedicatedly interested in data: What are their options? Can they really crack open a MacBook and get my data?

If so, what are my options?

Michael
  • 2,391
  • 2
  • 19
  • 36
Lost
  • 415
  • 4
  • 7

3 Answers3

37

Your data is probably* safe if the following three criteria are met:

  1. You have FileVault turned on (full disk encryption).
  2. Your laptop requires a password on boot and every time you open the lid (auto screen lock).
  3. Your password is not well known (easy to guess).

TL;DR;

If you don't have FileVault turned on, then your data is in plaintext and anyone can read it all.

If you had a password, and that password is required every time you open your screen, AND you had FileVault turned on (or your company did), then they need to guess your password to decrypt the data.

But, if you had a dumb password, they can probably guess it. Check out haveibeenpwned.com to determine if you had a dumb password.

If you had a strong password, file vault, and your device requires you to enter a password, then you're probably ok.

Still, why not go through your accounts and reset them anyways. Now's a good of time as any. Get a password manager like 1password and let it autogenerate passwords for you.

Choose a not-dumb password (like a truly random string of 10 characters - google a pw generator) for your password manager and memorize it.

Do the same for your new laptop password.

You'll have to memorize two crazy passwords. Write them and put them in your wallet until you do remember them.

Alternate approach is the xkcd: Password Strength method of using a few words together. I personally find this easier to remember, but more difficult to type than a 10-character random password.

(*) Having all three of those three things true makes it "very unlikely" that someone will get your data; however, a motivated, and well resourced adversary, can eventually guess every single possible password you could have uses and decrypt the contents of the hard disk. That said, you have plenty of time to rotate your passwords.

Jonathan
  • 2,288
  • 13
  • 16
  • 18
    While I generally agree with this response, I think it could be improved in a couple of ways. First, haveibeenpwned.com serves as a way to see if an email address has been associated with "dumps" containing a potential password to the account. It does not serve as a metric to measure password strength. Instead, I would reference a list of [the most common passwords](https://en.wikipedia.org/wiki/List_of_the_most_common_passwords), as a thief who likely does not have password cracking skills is unlikely to manually test many besides these. – svartedauden Aug 27 '19 at 19:08
  • 9
    Second, while the suggestion of a password manager is good, I think the suggestion of a random string of 10 characters isn't in practice the ideal password for something like disk decryption or a password manager. While it's all up to personal preference, a set of words or a phrase could be easier to remember while being just as difficult if not more difficult to crack, depending on context. – svartedauden Aug 27 '19 at 19:08
  • 19
    @svartedauden Have I Been Pwned has a password list: https://haveibeenpwned.com/Passwords – NobodyNada Aug 28 '19 at 03:44
  • 1
    @svartedauden - (1) yes, haveibeenpwned let's you check your password. 1password even integrates with it to let you know if your password is on the lists of commonly dumped passwords. (2) a random string of 10 characters, or a string of a few words are both valid options. pick the poison that works best for you. – Jonathan Aug 28 '19 at 05:28
  • 3
    [Diceware](http://world.std.com/~reinhold/diceware.html) passphrases (also known as "xkcd passphrases" after https://xkcd.com/936/) are likely to be easier to remember for a given degree of security. To match a ten-character alphanumeric password (62^10) (about 59 bits of security) you'd need a five-word Diceware passphrase (actually 4.57 words), which gives you about 64 bits' worth of security. Now consider what's easier to remember of the two I generated; `eeV2AiGh2d` or `due ethan ok once tippy`. (Please don't use either of these, as they are now effectively compromised. Generate your own.) – user Aug 28 '19 at 08:48
  • 2
    Just to clarify: you should never put your passwords on a random website. haveibeenpwned.com is a well known website run by a [security expert](https://en.wikipedia.org/wiki/Troy_Hunt) whose honesty is trusted by the whole security community. The website is implemented to avoid sending your actual password to their servers (and you can check for that using the dev tools of your browsers [which is something I actually did, trusting is good but always confirm...]). Do not put your password on random websites claiming to measure its strength... – Giacomo Alzetta Aug 28 '19 at 10:16
  • 8
    The important point here is **Filevault**! If your laptop was not encrypted, accessing everything on the drive is easily done. The password is irrelevant. – user10216038 Aug 28 '19 at 17:53
  • I wouldn't put the new password in the wallet, you could be unlucky enough to get the laptop AND the password stolen at the same time (eg: at gun point) – Felipe Pereira Aug 28 '19 at 18:31
  • 1
    xkcd passwords can be as easy to crack as a short list of random letters b/c computers can guess random words just as easy, unless you add some additional randomness. the cracker won't try every combination of letters until it finds `due ethan ok once tippy`; instead it will try random words separated by spaces that form strings below whatever length they are targeting. a long word based password is good, but add some randomness. – Zack Aug 28 '19 at 18:42
  • @Zack Take a closer look at the math in [the xkcd](https://xkcd.com/936/): Randall's entropy calculation assumes the attacker knows the scheme you're using. Four words (from a list of the 2048 most common words) corresponds to about 44 bits of entropy (about the same as ~6.8 random printable ASCII characters). – NobodyNada Aug 28 '19 at 18:46
  • I have, the xkcd advice not bad, but is a little old. For example `Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn` was cracked b/c the cracking program found the phrase in wikipidea https://en.wikipedia.org/wiki/Cthulhu You just want a little extra to make it a little harder. – Zack Aug 28 '19 at 18:49
  • 7
    @Zack The comic assumes you choose four completely random words, not a well-known phrase. – NobodyNada Aug 28 '19 at 18:51
  • @user10216038 This is the most important comment and the only real information in the answer. – clemisch Aug 28 '19 at 18:57
  • 1
    @aCVn I am not sure why people continually offer this advice. By *far* the better advice is just "use a password manager". Period. Diceware passwords are a total waste of effort. – user91988 Aug 28 '19 at 20:13
  • 2
    @only_pro you still need some password for the password manager – Doryx Aug 28 '19 at 21:15
  • 1
    @Doryx Sure, but just one. I think anyone should be able to remember just _one_ complex password. – user91988 Aug 28 '19 at 21:16
  • @NobodyNada & Jonathan - Apologies, I was unaware of havibeenpwned having a password checking tool. I think it may be useful to specify this in the answer so it is not confused with the breach checking tool. I do stand by the suggestion though that in this context, confirming that your password is not one of the most commonly used ones is more important to assess the likelihood a stolen laptop was accessed - as even a weak but uncommon password is unlikely to have been attempted manually. – svartedauden Aug 28 '19 at 21:46
  • 3
    @only_pro I think that _one_ complex password could be done diceware style and wouldn't be a total waste of effort. – Doryx Aug 29 '19 at 01:47
  • _why not go through your accounts and reset them anyways_ – **This** times a hundred. Even if your password is weak, it may give you just enough breathing room to change your online passwords before it is cracked. – forest Aug 29 '19 at 07:00
20

I unlocked a Mac laptop that a friend "found in a bin" without knowing the password and accessed all data on it. After a quick bit of googling I created a new account and reset the existing account password. We worked out who owned the laptop previously, called her, and to my utter surprise, she said she threw it in the bin.

It was an older laptop and about a year ago (no idea what the model was) -- no idea if it applies to your laptop.

If they can access your account then they can get all your Chrome saved passwords.

Advice: reset all your passwords. Sorry.

This link describes how to reset your password (see Use Recovery Mode)

stevieg
  • 301
  • 1
  • 3
0

Even if you format (wipe) the data, someone clever enough can still recover it, but that requires some serious skills. Try to google "recovering formatted drives".

They would still need to crack your password as macs are encrypted.

Puértolas Luis
  • 1
  • 1
  • 9
    Not true, if the drive was encrypted, which it almost certainly was, as a corporate laptop. "Erasing" a drive with Filevault is really erasing the encryption key, rendering the data unrecoverable. – Kevin McKenzie Aug 28 '19 at 04:05
  • 3
    formatting and wiping is not the same thing, the latter consists in overwriting every cluster on the disk, or erasing the encryption key on an encrypted drive. – Dmitry Grigoryev Aug 28 '19 at 06:48