Mountain Lion security

The keychain on OS X is secure. It uses strong encryption. If you're not logged in, it's not open and it's secure.

I've been using FileVault 2 since it shipped on Lion. 3 laptops, everyday use, no issues. Obviously, backups are good.

But as far as the keychain being "locked out," it's just that the keychain is "locked" when you're not logged in to the machine. Changing the admin password is really orthogonal to this; they're not related other than the act of changing the password is something that's done when you're booted from the recovery partition. That means you're not logged into the account => keychain is locked, keychain is safe.

What are people who lost their admin passwords going to lose? Yes, they're going to lose access to whatever's in their keychain, if they don't recall the keychain password. Not that many people store much in their keychain, to tell the truth. I use it a ton, but many people don't use it much, and in fact use the same password on pretty much every site and service they use (yes, that's horrible from a security perspective but it's what unaware people do. I'm not willing to get a bullhorn and walk around preaching password best practices to the masses... I have a day job ;-)

I think there are a few possiblities for what would happen:

1) Thief just wants your machine to sell. He notes it won't boot, so he sells it. He doesn't car.

2) Thief wants to use your machine personally. If he knows anything about Macs, he notes he can't get your data, and he finds out how to boot to teh recover partition, boots to it, reformats the drive, and has a shiny clean new machine without your data.

3) Thief actually wants to steal your data. He stole it to get your data. He's foiled. Maybe he tries to crack the password at the FileVault 2 password prompt at log in. Good luck with that... this depends on the strength of your password.

Note for case #3, if you have "Find my Mac" turned on, you can possibly remote wipe the Mac while he's trying this. And maybe track it.

But yes, correct, the firmware password doesn't lock the drive. It just locks the machine.

Yes, if you don't have your data encrypted, the person can log into you, and access everything in your account that's not encrypted. This includes your email, your contacts, your calendars, all your documents (office, iwork, etc.), your entire photo libraries. Pretty much EVERYTHING that's not in your keychain or 1Password, or encrypted in some other way.

So yes, encrypting the entire drive with FileVault 2 is a secure option. Of course, that means you should have a backup (or multiple backups!) that are also encrypted.

Is Keychain secure? The answers seem to be it is, but if someone could point me to something that confirms that, I'd be much happier.

As far as the encryption is concerned, yes, it sounds like you already know that's secure. With regard to the password, there's absolutely no way to reset a keychain password, as there is for a user account, so as long as your machine is not stolen while the keychain is unlocked, you should be fine. (Make sure that you require a password to wake from sleep or the screen saver.)

You're saying that they'll be able to read my mail, see my calendar et al.? How do I fix that? Does that go back to Filevault-ing the whole disk drive?

Well, first of all, you need to re-think considering e-mail secure in the first place. Sending an e-mail is about as secure as sending a postcard. Unless you use some kind of encryption with your mail (such as PGP or S/MIME), which requires the cooperation of the person on the other end, your e-mail isn't remotely secure, and should never be used to send or receive confidential information. It can be snooped on by any party between the sender and the receiver, it can be seen by wireless sniffers at the receiving or sending end, and if the e-mail account gets hacked it's all right there ready to be read. Encrypting e-mail on your machine is kind of like exchanging postcards with someone, then locking the postcards in a safe after you receive them. Not really much point.

Regarding your calendar, if that's something that you consider to be sensitive information, then yes, the thief would be able to view that as well. Without keychain access he/she would be unable to sync it, but could still view what is on your machine. So, if stuff like this is a concern, FileVault is really the way to go.

So the firmware password doesn't lock the drive, just the machine.

The firmware password doesn't even really lock the machine, per se. The only thing the firmware password really does is prevent the thief from doing certain things at startup, like booting from another volume or booting into target disk mode, etc. The full list of things that are blocked by the firmware password are here:

http://support.apple.com/kb/HT1352

But, as pointed out, this doesn't prevent the thief from pulling the hard drive out and putting it in an enclosure to read the data off from another machine. Only encryption can stymie that.