You’re constantly hearing about how you need to make sure to use a secure password, but what are you supposed to do if a hacker can just change your password without even cracking it? That’s what users with physical access to your computer can do on OS X Lion right now.
A similar issue in previous versions of OS X allowed Admin users to access the “shadow files” that store OS X passwords, but in Lion, non-Admin users can access the hash and salt data for passwords, which shouldn’t be possible. But that’s not all — it seems Directory Services in Lion don’t require authentication when requesting a password change for the current user, so even if the encrypted hashes aren’t cracked, the password can still be changed.
CNET’s got a detailed list of ways to lock down your system until Apple releases a patch, but for now, like disabling auto-log-in, enabling sleep and screensaver passwords, and disabling guest accounts; but the long and short of it is that anyone with physical access to a Mac running Lion can access and change your password relatively easily. So be careful with that, eh? [Defence in Depth via CNET via Techmeme]