- 12.5. Setting Up the Login Process
Once you've set up more than one account, the dialog box shown in Figure 12-1 appears
whenever you turn on the Mac, whenever you choose Log Out, or whenever the
Mac logs you out automatically (Section 12.9.3). But a few extra controls let you, an
administrator, set up either more or less security at the login screen—or, put another way,
build in less or more convenience.
POWER USERS' CLINIC
The Secret Account Options
Anyone who knows Mac OS X very well might object to one sentence in this
section: "If you're an administrator, you can change your own account in any
way you like."
Because everybody knows that there's one aspect of an account that even an
admin can't change: the account's short name. Once that's created, it's yours
forever, or at least until you delete the account.
Now, you won't find this feature listed on Apple's "300 New Leopard Features"
Web page, but it's true: In Leopard, there's now a secret way to pick a different
short name. You can't easily change the one you created originally, but you can
create another one—shorter, more memorable—that also works when you're
logging in or authenticating yourself.
To find it, Control-click (or right-click) the account's name in the list at the left
side of the Accounts panel in System Preferences. From the shortcut menu,
choose Advanced Options.
The strange and wonderful Advanced Options panel appears. Right there in the
middle is a "Short name" box, but don't edit that; it won't work.
Instead, click the + button below the Aliases list. You're offered the chance to
type in an alternative short name and then click OK. You can create as many of
these aliases as you like.
When it's all over, click OK. The next time you log into your Mac, you can use
your new, improved short name instead of the old one.
- Rejoice that you lived to see the day.
Open System Preferences, click Accounts, and then click the Login Options button
(Figure 12-12). Here are some of the ways you can shape the login experience for greater
security (or greater convenience):
Figure 12-11. Top: This dialog box lets you know where to find the deleted account's
material, should the need arise.
Bottom: The files and settings of accounts you deleted live on, in the Users
Deleted Users folder.
• Automatic login. This option eliminates the need to sign in at all. It's a timesaving,
hassle-free arrangement if only one person uses the Mac, or if one person uses it
most of the time.
When you choose an account holder's name from this pop-up menu, you're
prompted for his name and password. Type it and click OK.
From now on, the dialog box shown in Figure 12-1 won't appear at all at startup
time. After turning on the machine, you, the specified account holder, zoom
straight to your desktop.
Of course, only one lucky person can enjoy this express ticket. Everybody else
must still enter their names and passwords. (And how can they, since the Mac
rushes right into the Automatic person's account at startup time? Answer: The
Automatic thing happens only at startup time. The usual login screen appears
whenever the current account holder logs out—by choosing Log Out, for
• Display login window as. Under normal circumstances, the login screen presents a
list of account holders when you power up the Mac, as shown in Figure 12-1.
That's the "List of users" option in action.
- If you're especially worried about security, however, you might not even want that
list to appear. If you turn on "Name and password," each person who signs in must
type both his name (into a blank that appears) and his password—a very
inconvenient, but more secure, arrangement.
Figure 12-12. These options make it easier or harder for people to sign in,
offering various degrees of security. By the way: Turning on "Name and
password" also lets you sign in as >console, a troubleshooting technique
described on Section 10.30.7. It's also one way to sign in with the root account
(Section 16.9), once you've activated it.
• Show the Restart, Sleep, and Shut Down buttons. Truth is, the Mac OS X security
system is easy to circumvent. Truly devoted evildoers can bypass the standard
login screen in a number of different ways: restart in FireWire disk mode, restart
at the Unix Terminal, and so on. Suddenly, these no-goodniks have full access to
every document on the machine, blowing right past all of the safeguards you've so
One way to thwart them is to use FileVault (Section 12.9.2). Another is to turn off
this checkbox. Now there's no Restart or Shut Down button to tempt mischief-
makers. That's plenty of protection in most homes, schools, and workplaces; after
all, Mac people tend to be nice people.
But if you worry that somebody with a pronounced mean streak might restart
simply by pulling the plug, then either use FileVault or set the Open Firmware
password, as described in the box below.
• Show Input menu in login window. If the Input menu (Section 9.13.3) is available
at login time, it means that people who use non-U.S. keyboard layouts and
alphabets can use the login features without having to pretend to be American.(It
also means that you have a much wider universe of difficult-to-guess passwords,
since your password can be in, for example, Japanese characters. Greetings, Mr.
POWER USERS' CLINIC
The Firmware Password
After all this discussion of security and passwords, it may come as a bit of a
shock to learn that enterprising villains can bypass all of Mac OS X's security
features in 10 seconds. If you haven't turned on FileVault, their nefarious
- options include using the Unix console described in Appendix B, using
FireWire disk mode (Section 6.2), and so on.
But there is one way to secure your Mac completely: by using the very secret,
little known Firmware Password program.
It's on your original Leopard DVD, in the Applications Utilities folder, just
where it's been in previous Mac OS X versions—but in 10.5, Apple has made it
Use TinkerTool (Section 17.1) to make the Finder show all hidden files and
folders; then insert your Leopard DVD. Open the Applications Utilities
folder that has magically appeared. You'll find the Firmware Password program
inside. (On pre-Intel Macs, it's called Open Firmware Password. For the
purposes of the features described here, however, it works identically.)
When you run this utility, turn on "Require password to change firmware
settings," as shown here. Then make up a master password that's required to
start up from anything but the internal drive.
Next, you're asked for an administrator's password. Finally, a message tells you,
"The settings were successfully saved." Restart the Mac.
From now on, whenever you attempt to start up in anything but the usual way,
you're asked to type the Open Firmware password. For example, you see it
when you press the C key to start up from a CD, or when you press Option to
choose a different startup disk or partition.
None of the usual startup-key tricks work. Holding down the C key to start up
from a CD, holding down N to start up from a NetBoot server, pressing T to
start up in Target Disk Mode, pressing D to start up from the installation DVD
in diagnostic mode, pressing -V to start up in Verbose mode, -S to start
up in Single-user mode, -Option-P-R key to reset the parameter RAM,
pressing Option to start up from a different system disk, pressing Shift to enter
Safe Boot mode—none of it works without the master Open Firmware
• Show password hints. As described earlier, Mac OS X is kind enough to display
your password hint ("middle name of the first person who ever kissed me") after
you've typed it wrong three times when trying to log in. This option lets you turn
off that feature for an extra layer of security. The hint will never appear.
• Use VoiceOver at login window. The VoiceOver feature (Section 188.8.131.52) is all
well and good if you're blind. But how are you supposed to log in? Turn on this
checkbox, and VoiceOver speaks the features on the Login panel, too.
• Enable fast user switching. This feature lets you switch to another account without
having to log out of the first one, as described on Section 12.8.
• View as. If you do, in fact, turn on Fast User Switching, a new menu appears at
the upper-right corner of your screen, listing all the account holders on the
machine. Thanks to this pop-up menu, you can now specify what that menu looks
like. It can display the current account holder's full name (Name), the short name
(Short Name), or only a generic torso-silhouette icon (Icon) to save space on the