Password and ways to limit access.

If she logged in as the admin user she had the admin password or you incorrectly set up her account as an admin user.

She could not have changed her user to an admin user without having your ID and password. Maybe the computer is registered under her Apple ID and password and she created an admin account for you. If she is the registered owner then she can do what she wants with passwords and account access.

I think you are looking in the wrong direction. If she does not have an admin account and she is not the owner of the computer she can not create an admin account for herself.

She probably booted into Single User Mode using Command + S or into Recovery Mode/Internet Recovery Mode which does not require any password and will provide root access at least on older Macs before macOS Big Sur. Big Sur changed this by now requiring authentication of an admin user to even boot into Recovery Mode. The only way to block this access on older Macs/macOS is by enabling a firmware password lock:

https://support.apple.com/en-us/HT204455

Just make sure you never forget the firmware password or you will need to have Apple remove it for you only after you provide proper proof of purchase & valid ID to prove you are the legal owner of the Mac. Beginning with the 2018+ Macs Apple began using a T2 security chip to further lock things down which requires authentication of an admin user before it is possible to boot into Recovery Mode or from USB drives.

apple_customer wrote:

Thank you for your help and detailed answer to my question. I discussed it with her and she seems to have done precisely what you described here. I am happy this has changed or addressed by Apple because it is a major vulnerability most of us don't expect. Up until now I have always felt my computers were secure with the passwords I had assigned to them but I now realize they were not.

Anyone with physical access to a device will always have a chance of bypassing security measures even if it is an extremely slim chance. If you don't want anyone else accessing the data on a drive, then you also need to encrypt the drive which is very easy to do with macOS by enabling Filevault. Only users with a user account & password will be able to access the contents of the encrypted drive. Security is very hard to do correctly and it has been evolving for years.

In this case and based on what you explained my best choice if I choose to continue to run macOS Catalina is to install a firmware password lock. Is this correct?

Yes.

So as to make sure I understand this important step, as I enable a firmware password and have a password enable to login, I have safely prevented anyone from having access to my computer. Is this right or can anyone still break into my computer using a different kind of technique?

A firmware password lock will restrict the Mac to only boot from the internal drive unless the firmware password is entered. Keep in mind that when a firmware lock is enabled it can make booting with other startup keys difficult or even impossible. For example it is impossible to perform a traditional PRAM Reset when a firmware lock is enabled. If you ever forget the firmware password, or if the stored firmware password becomes corrupted, then you will never be able to boot using any of the special startup keys (Option Boot, Recovery Mode, etc.) unless you can provide valid proof of purchase & identity to Apple so Apple can remove the firmware lock. Apple has very strict rules on what qualifies as valid proof of purchase and identity.

Anyone with an admin user account will be able to make modifications to the system so make sure to use a Standard user account for those users that you want to be restricted (plus you can even enable further restrictions to a Standard user account using Parental Controls).

For older Macs you should enable Filevault so that the data on the boot drive is encrypted, otherwise someone with physical access to the Mac may be able to read the data on the drive even if they don't boot from the drive. Newer Macs with the T2 security chip (typically 2018+ models) now automatically use hardware encryption to protect the data on the SSD making it nearly impossible for anyone to access the data on the laptop if the laptop is lost or stolen. Apple still allows users to also enable Filevault as well on the 2018+ models, but it really is not necessary. Just make sure when enabling Filevault that you configure Filevault to allow the other user accounts to unlock Filevault when booting or those users will not be able to boot the Mac.

Of course security is only as good as the passwords used for the user accounts. Using a common password or easily guessed password is basically the same thing as no security.

On an unrelated note make sure to always have frequent and regular backups in case something goes wrong. It is impossible to recover accidentally deleted data from an SSD after the Trash has been emptied plus an SSD can fail at any time without any warning signs (even a brand new SSD). In addition it is very difficult to impossible to recover data from a failing SSD especially with a Mac using the T2 security chip (2018+ models), but also many of the other USB-C Macs as well since the SSDs are integrated into the Logic Board. Apple includes Time Machine backup software for free with macOS and it is possible to encrypt those backups as well, although there are also third party options as well. I also highly recommend storing backup copies of any important files on external media that can be access by other non-Apple devices in case you don't have a Mac (or a new enough Mac) to access a Time Machine backup (I'm a bit paranoid about considering worst case scenarios).

Hopefully if I overlooked anything another more knowledgeable contributor will fill in the gaps or provide an easier to understand response.

Once the next major version of macOS (v12 Monterrey) is released later this year (expected in the next month or so), then Big Sur will only have two more years of receiving security updates from Apple. Two years from now you will have no choice but to upgrade macOS (if you have a Mac that can run a newer version of macOS) if you want to stay as secure as possible.

Whether or not Big Sur has issues for people largely depends on the software they use and the external hardware devices they connect. It is usually best to avoid a new release of an OS for at least one or two months so the initial bugs get ironed out, but after that the OS is what it is.

apple_customer Said:

"Password and ways to limit access.: Hello, Is there a way to make my Mac safer?"

-------

Troubleshooting Mac Security:

From a general standpoint, here is how to make it safer:

A. Start with a Backup:

Important: Be certain to create a backup of your Mac every-so-often. That way, she can have something to restore from the Mac from, should anything go wrong. Typically, it is a good idea to do so prior to making any major change to it (i.e. software installation).

B. Use MalwareBytes for Mac:

This is software that searches for malware/adware. So, scan with it and then remove what is found. Once removed, uninstall MalwareBytes for Mac. Then restart the Mac.

Downloads:

1. Malwarebytes Anti-Malware for Mac
2. Malwarebytes Uninstaller

C. Don't Share Apple IDs:

If you are sharing your Apple ID with here, then you should log out of it. Never, share Apple IDs, as changes and misguidance may be performed. as for all of her passwords, keep them handwritten, hard-copy format, stored in a secret location.

D. Don't Use Security Software:

Using Security Software just gets in the way on Mac and there are plenty examples on these forums as to how and why.

E. Modifying Credentials:

If scams or security ever becomes a concern, consider modifying the credentials, ASAP, starting with a new password.

• Modify: login credentials (using both a New eMail and a New Password) for Apple and each and all sites
• Associate: a different method of payment to her Apple Account
• Enable: Two-Factor Authentication for Apple ID PayPal and for all other accounts that have such an applicable option