hoakley January 24, 2023 Macs, Technology

Is it more secure to be a normal or admin user?

Some Mac users, mostly those who have used Unix, prefer to run as normal rather than admin users, but most of us just use the single admin account created when we first set up that Mac. While there are good debates about preferences and protections, this article considers whether using a normal user account is any more secure than an admin one.

Privileges

The two main types of user account differ primarily in the privileges they give. If you’re an admin user, you can do pretty well anything that macOS allows. In some cases, you’ll be asked to authenticate before proceeding, even in parts of System Settings. But, as an admin user, your password is good for anything so long as it isn’t locked down by macOS, for example by System Integrity Protection (SIP). Even then there are ways and means of disabling SIP if you need to.

A normal user account doesn’t have some of those privileges, though. In general, a normal user is limited to changing their own settings, but not those affecting the system more generally. For example, they can’t create another user account, or change the privileges of accounts. They can install apps, though, and can use their Apple ID and have full access to iCloud and all its features, including subscriptions.

In many cases, a normal user can still access features limited to admin users by entering the name and password of an admin user.

nonadmin01

This can be significant for security. Malicious software may want to trick you into providing an admin user’s password so that it too can obtain elevated privileges. Running as a normal user won’t necessarily prevent that, as it could simply prompt you in the same way. If you seldom obtain elevated privileges when running as a normal user, then this might make you stop and think twice. But if you find yourself having to do this more frequently, you might be tricked into doing it without thinking.

There are a few unexpected features that aren’t available to the normal user, of which the most irksome is accessing the log. That does, for the moment, lock you out of some of my free utilities, although not SilentKnight. There are a few other apps that rely on your being an admin user that you might also regret.

nonadmin02

Privacy

In case you hadn’t noticed, macOS does a great deal to protect the privacy of user data. A traditional argument in favour of running as a normal user is that it separates your data from the system, and from other users. Thankfully, in all recent versions of macOS, you don’t need this any more: macOS is tucked away on a read-only snapshot on your System volume, and Privacy & Security work just the same whether you’re an admin or normal user.

Security

All built-in macOS security protection applies equally to all users, regardless of their privileges. Gatekeeper, XProtect and XProtect Remediator all do exactly the same job, in the same way. When tested against samples of real malware, there’s no difference in their detection or response. The one snag, though, is that checking on XProtect Remediator currently relies on access to the log, or support for Endpoint Security monitoring (in Ventura only), which becomes more difficult when you don’t have admin privileges.

User account weaknesses

There are a few important cautions, which apply particularly to admin accounts:

Never delete the primary admin account. You might get away with this if you have a secondary admin account configured, but it’s safer not to risk it even then.
Never allow your Mac to log in automatically to any admin account. You shouldn’t do this with a normal account either, although there potential consequences aren’t as serious.
Never use weak or guessable passwords for an account, particularly for an admin user.
Unless you have a truly compelling reason, never enable a Guest account.
Never authenticate as an admin user without knowing what that will do. Inspect and read that dialog carefully, and if you’re in any doubt, click on Cancel.

If you’re more comfortable with the more restricted privileges of a normal user account, then why not use one. But don’t think it’s going to improve security or privacy.

48Comments

Add yours

1

EcleX on January 24, 2023 at 7:51 am

Thanks. Two questions:

1. Why never allow your Mac to log in automatically to any admin account? Even when the Mac does not contain private data or you are the only user?

2. Why never enable a Guest account? Why? Even for troubleshooting?

LikeLiked by 1 person
- 2
  
  hoakley on January 24, 2023 at 8:20 am
  
  1. If you can enable that, it means you haven’t got FileVault turned on. That means I can take your Mac, start it up, not have to log in, and I have full access to all your data. I can install malicious software, trash documents, and do a great deal of damage. That’s why we have FileVault, passwords, and log in.
  2. If you have FileVault turned on, it’s useless – all it allows is Safari browsing. If you have FileVault turned off, it’s a vulnerability – would you enable a guest user and hand your Mac over to a hacker or security researcher? And you can’t troubleshoot anything with a guest account, can you?
  Howard.
  
  LikeLike
  - 3
    
    chrish1961 on January 27, 2023 at 11:01 am
    
    “ I can take your Mac, start it up, not have to log in, and I have full access to all your data. I can install malicious software, trash documents, and do a great deal of damage.”
    
    How would this be possible without logging in? By what other means would you have access to SSD data?
    
    LikeLiked by 1 person
    - 4
      
      hoakley on January 27, 2023 at 12:04 pm
      
      If you refer back to the original question, it reads:
      “Why never allow your Mac to log in automatically to any admin account?”
      If you enable auto-login, then the user doesn’t log in, do they? That then gives full access to that account to anyone who cares to start that Mac up. And if that happens to be an admin account, it’s potential catastrophe. Apple explicitly warns against doing that.
      Howard.
      
      LikeLiked by 1 person
5

frpsr on January 24, 2023 at 9:58 am

Temptation and cancel , or glasses and bringing the screen to a legible size . A new mac left the comfort of habit for the uncertain joy of reestablishing suzerainty .
System dialogues are the company Henry Fuseli kept , little choices ushering in consequences . FRPSR .

LikeLiked by 1 person
6

aONe on January 24, 2023 at 1:08 pm

Nice read with the greatest conclusion: don’t think it’s going to improve security or privacy

I used to create non-admin accounts for family and friends but they then reached to me trying to install applications that asked for an admin user (sometimes sketchy ones). So at the end it was easier to let them have admin accounts and fix the issues later…

The sandbox system + all the security protections you mention seem fair enough to protect a “regular” user nowadays, admin or not.

For me admin + firewall (Little Snitch) is the way to go.

LikeLiked by 1 person
- 7
  
  hoakley on January 24, 2023 at 1:32 pm
  
  Thank you.
  Howard.
  
  LikeLike
- 8
  
  Paul Rockwell on January 24, 2023 at 5:17 pm
  
  I agree that if you set up non-admin accounts it makes it more difficult for those users to add software to the system.
  
  This is not necessarily a bad thing. Yes, it’s annoying to the user and to the admin user that would have to intervene whenever a non-admin would need to install something.
  
  But do you trust novice users to recognize whether something is sketchy or not? I do not relish “fix the issues later” – I’d rather prevent the issues in the first place.
  
  LikeLiked by 1 person
  - 9
    
    hoakley on January 24, 2023 at 6:00 pm
    
    Thank you. Sadly, some ‘sketchy’ apps are as easy to install as a normal user, than as an admin user. Even malware is working to make it simpler 🙂
    Howard.
    
    LikeLike
10

markbot2zero on January 24, 2023 at 2:33 pm

Thank you, Howard, wonderful article.

I’m tucking away those bulleted points at the end to share with all my clients. They should be “must read” for all Mac users.

I would only add that turning FileVault on is a “must do” for every Mac owner, preferably as part of the initial setup. (Someday maybe, Macs will ship with encryption on as the default, as it is with iPhones and iPads.)

Another privacy consideration is the unfortunate fact that many computer repair shop personnel have a nasty habit of snooping their customers’ devices, even copying stuff off them:

https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/

And, depressingly, but perhaps not surprisingly, women’s computers are more vulnerable, probably because most repair techs are men. (Come to think of it, I’ve never seen a woman working as a tech person, not even as an Apple “Genius.”)

I was thinking that a way around giving the password to your admin account (if it’s also your main personal account) away, is to create a second admin account (call it, perhaps, “Repair”) and use it for nothing but repairs. No pictures, no documents, of yours — empty. That way the repair shop has admin access if they need it, but can’t spy on your personal files.

And from what I’ve gleaned from this article:

https://eclecticlight.co/2020/11/28/startup-modes-for-m1-macs/

the venerable Single-User Mode is effectively gone in Apple Silicon Macs, eliminating a privacy sieve.

If you, Howard, or anyone* else has thoughts about whether this second admin account might be a useful way to protect your files, please share.

-Mark

*Just a shout out here to the many people who comment on Eclectic Light, often adding a wealth of insight and information.

LikeLiked by 1 person
- 11
  
  Graham on January 24, 2023 at 5:03 pm
  
  Better not to create “spare” accounts “just in case”. That is just introducing a new access vector. The safest way to hand in a device for hardware repair is to back it up and erase it, then restore from backup upon return. Especially as often times they will ask you to remove Find My, log out of iCloud or remove MDM anyway.
  
  LikeLiked by 1 person
- 12
  
  hoakley on January 24, 2023 at 5:54 pm
  
  Thank you.
  Apple does give clear instructions on how to prepare your Mac for service. I’ve found two slightly different versions: how to send your Mac, and how to get your Mac ready for service.
  Howard.
  
  LikeLike
  - 13
    
    Graham on January 24, 2023 at 7:07 pm
    
    Interesting point in the first article:
    “If you’re concerned about the security of your data, erase your hard disk before sending in your Mac.”
    We all should be concerned about the security of our data at all times, hence having an account password. So this point is almost a given.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on January 24, 2023 at 8:32 pm
      
      Thank you. Well, yes, but a lot of your data should already be well protected, and sensitive data either gated behind your Apple ID or another protection independent of FileVault.
      Howard.
      
      LikeLike
- 15
  
  hoakley on January 24, 2023 at 5:57 pm
  
  It’s perhaps worth pointing out that all Intel T2 and Apple silicon Macs do come with encryption enabled. So much so that you can’t disable encryption of your Data volume on the internal SSD. FileVault adds protection to the encryption key, rather than altering the encryption.
  Howard.
  
  LikeLike
16

Javier Gallardo on January 24, 2023 at 5:50 pm

Excuse me, sir. Could you briefly explain why not “Guest account”?
I recommended that to my wife at her iMac, when our children need to use a web-browser or a word-processor… I thought it was a nice feature, better than setting a user account for them, as a good solution for non very expert people. Where’s the risk? (My wife makes music and uses default Apple apps, plus a few essential others (VLC…). As a caution, I insist recommending them to use their iOS devices, anyway; they’re safer! (This the real power of iOS, I think; quite difficult to break something).
Thank you.

LikeLiked by 1 person
- 17
  
  hoakley on January 24, 2023 at 6:05 pm
  
  For your children, you should create a normal user account, and add parental controls to it.
  If you have FileVault enabled, as you should, then all that allows a guest is browsing in Safari. Once upon a time, that may have been a miracle, but today it’s much better for them on a device, such as an iPad.
  A simple question: would you hand your Mac with a Guest account enabled to a hacker? If you answer no to that, then you shouldn’t enable it in the first place.
  Howard.
  
  LikeLike
  - 18
    
    hoakley on January 24, 2023 at 6:10 pm
    
    I should perhaps add that you use a normal user account here to limit their privileges – a very good reason for a normal account. But that’s not for privacy or security.
    Howard.
    
    LikeLiked by 1 person
19

dominikushoffmann on January 24, 2023 at 6:37 pm

I had a case recently, where setting up an admin account with a separate password saved my an elderly family member from being taken for a ride by a phishing operation. He had received an email about a PayPal transaction and an impending shipment of product. All up in arms he called the “customer service” number and was told that he needed to download and install software on his computer, so that the refund and order cancelation could be processed. It failed, because he had forgotten the admin password and where he had written it down. By the time he called me, it had dawned on him that he had responded to a scam. He was very relieved that no damage was done.

In my own day-to-day work using my non-privileged user account I am rarely asked for the admin credentials. I do think, the extra layer of requiring a different user ID and password for “under-the-hood” changes, does make my system more secure.

It is age-old Unix practice for only administrators to have full privileges. Following this principle has been my way of doing things since the original Mac OS X 10.0. It took Windows many additional years for apps to run reliably, if the logged-in user was not an administrator.

LikeLiked by 1 person
- 20
  
  hoakley on January 24, 2023 at 8:35 pm
  
  Thank you.
  There’s something to be said these days not just for parental protection, but an equivalent for other folk who need a more controlled environment.
  Howard.
  
  LikeLike
21

Anthony Reimer on January 24, 2023 at 7:02 pm

I currently run as a Standard user on both my work and personal Mac and have been for at least a decade, but I also have an admin account that I only log in to when absolutely necessary (very rare) that gives me the “keys to the Kingdom” when running as that Standard user. I definitely agree that the protections that Apple has put in to macOS in recent years have made the difference between the two modes much smaller. The reasons I continue to run as a Standard user are (1) to give protection against vulnerabilities that leverage the fact that you are running as an admin, and (2) to add that one extra step of friction (as you describe in the article) in case the malware author tries to trick you into giving up your credentials. If a prompt for credentials shows my current user name, then it should only affect my local account (or is something that Apple thinks is OK for non-admin users to update). If it has a blank username, then it requires admin credentials, which is a cue to take a closer look. That aligns with your last bullet point. So while I agree that the difference between logging in (manually) as an admin and a Standard user continues to get smaller, I still find a small benefit in running as a Standard user.

LikeLiked by 1 person
- 22
  
  hoakley on January 24, 2023 at 8:31 pm
  
  Thank you.
  Howard.
  
  LikeLike
- 23
  
  James on January 26, 2023 at 11:59 am
  
  You said, “The reasons I continue to run as a Standard user are (1) to give protection against vulnerabilities that leverage the fact that you are running as an admin”
  
  How exactly does it do that? I use the advanced setting that locks the System Settings, which makes it behave pretty much as it would in a standard account; even changing the time & date require authentication. Other than that I don’t see a lot of differences in feature or permission that don’t aleready require authentication.
  
  The “vulnerability” as I see it is having a admin “password”, which can just as easily be used in a standard account for the exact same tasks. Or is there some automatic privilege elevation that occurs in a admin account that I’m not aware of? If I was in Windows the differences between admin and standard are clearer, but in macOS I struggle to find them these days on a M1 Mac when everything is basically locked down by default.
  
  LikeLiked by 1 person
  - 24
    
    hoakley on January 26, 2023 at 12:22 pm
    
    “is there some automatic privilege elevation that occurs in a admin account”
    Yes, that’s the difference between admin and normal user accounts. Simple and commonplace example: authentication to use any privileges. If you’re already an admin user, you’ll simply be prompted for your password. If you’re just a normal user, then you’ll have to enter the user name of an admin user, and their password.
    Also, using the same password for both isn’t a wise move at all, and defeats the whole purpose of privileges.
    Howard.
    
    LikeLike
25

yyzguy on January 25, 2023 at 12:50 am

Can you explain why some admin functions can be done with Touch ID and others cannot (password entry required instead of Touch ID)?

LikeLiked by 1 person
- 26
  
  hoakley on January 25, 2023 at 8:18 am
  
  Not really! I suspect it’s down to old code in the API. It does puzzle and irritate me too.
  Howard.
  
  LikeLike
- 27
  
  baron on January 26, 2023 at 1:23 am
  
  I like to think it helps me not to forget my password… 😀
  
  LikeLiked by 1 person
28

James on January 25, 2023 at 11:10 am

Thanks for responding to my concerns by email and writing this article Howard!

LikeLiked by 1 person
- 29
  
  hoakley on January 25, 2023 at 3:38 pm
  
  You’re very welcome. It has generated interesting discussion.
  Howard.
  
  LikeLike
30

Mike on January 25, 2023 at 11:26 am

I’ve grown used to the once-useful (now comfort behaviour?) of running as a standard user, and so have the various family members I occasionally assist. It serves as a useful pause when (rarely) prompted for an admin authentication.
For habitual tinkerers, it adds little except training them to authenticate for anything and everything that stands between them and what they want to do. I wonder if they would be prompted *fewer* times if they were running as an admin, restoring some value to the “think before you authenticate” moment.
Apple’s own guidance doesn’t seem to steer normal users away from admin accounts these days.
For now I think I’ll stick with standard, and will grumble quietly to myself each time I forget that my CLI session is still a standard user.
This is a very thought-provoking article, thankyou.

LikeLiked by 1 person
- 31
  
  James on January 25, 2023 at 3:05 pm
  
  You said, “For habitual tinkerers, it adds little except training them to authenticate for anything and everything that stands between them and what they want to do.”
  
  If you enable the lock for the System Settings in an Admin account, it behaves almost exactly as it does in a standard account. The only noticeable difference seems to be having to enter your login in addition to your password.
  
  LikeLiked by 1 person
  - 32
    
    hoakley on January 25, 2023 at 3:42 pm
    
    Thank you.
    I note that enabling that lock doesn’t actually change the user’s privileges, just forces them to authenticate for everything significant in System Settings. It sounds like purgatory to me!
    Howard.
    
    LikeLike
- 33
  
  hoakley on January 25, 2023 at 3:39 pm
  
  Thank you.
  Howard.
  
  LikeLike
34

markbot2zero on January 25, 2023 at 11:05 pm

Dear Howard,

re: “Well, yes, but a lot of your data should already be well protected, and sensitive data either gated behind your Apple ID or another protection independent of FileVault.”

If you get a moment and can elaborate a bit on this, I’d appreciate it. I don’t understand what you mean by “gated behind your Apple ID or another protection.”

Thank you,

-Mark

LikeLiked by 1 person
- 35
  
  hoakley on January 26, 2023 at 6:25 am
  
  Mark,
  The only really sensitive data that I have here is in my keychain, which is held in iCloud. Without access to my Mac or one of my devices *and* my iCloud account, accessing that isn’t feasible. If I were to have other sensitive data, it’s so straightforward to store them in an encrypted sparse bundle or volume, and/or in iCloud Drive.
  All you have to do to protect those is to sign your Mac (or device) out of iCloud before handing it over to anyone else. Unless they can sign in using your AppleID, everything that’s held in iCloud is inaccessible to them, while you can still access it on other Macs and devices.
  Howard.
  
  LikeLike
36

Michael Tsai - Blog - Normal Mac User Accounts on January 26, 2023 at 8:46 pm

[…] Howard Oakley: […]

LikeLike
37

markbot2zero on January 27, 2023 at 6:36 pm

Coda:

Well, after years/decades of being a “normal”* user in my day to day work, I upped my account on my iMac to “Admin,” rebooted, and lived to tell the tale.

I’ll keep some Standard accounts for various family members who use the Mac, which keeps errant sons-in-law from loading PC games ported to Mac. Or at least I have to do it for them. To be able to create a Standard account is therefor quite valuable, so the Admin can exercise some level of control.

The initial account created by macOS on a new Mac is, and always has been, an Admin account. Apple offers no information about different kinds of accounts during the initial setup (or after, for that matter) and does not alert the user to any security or privacy implications.

In my experience, for most users, the initial account is the only account on the Mac, and they aren’t even aware that it’s an Admin account, or what that even means.

-Mark (no longer “normal”…)

*Hmm–strictly speaking, I believe it’s a “Standard” user. Calling it “normal” implies perhaps that Admins aren’t normal. (?)

LikeLiked by 1 person
- 38
  
  hoakley on January 27, 2023 at 8:10 pm
  
  Thank you, Mark.
  Yes, Apple does refer to them as “standard” users, but I’m quite comfortable with being abnormal in this respect as well.
  In fairness to Apple, while it doesn’t provide any cautions about using that primary admin account, Help does include information about all user types and their limitations. But I don’t think it has ever advised users to create and use a second standard/normal account.
  Howard.
  
  LikeLike
  - 39
    
    Abe on February 9, 2023 at 2:32 pm
    
    Hello, thank you for your article, very enlightening as always. If I may, Apple does indeed advise to create a standard user. Quote: “Consider creating a standard user for your daily work and use the administrator user only when you need to install software or administer users.”
    
    https://support.apple.com/en-sa/guide/mac-help/mh11389/mac
    
    LikeLiked by 1 person
    - 40
      
      hoakley on February 9, 2023 at 6:06 pm
      
      Thank you.
      No, Apple does not, there or anywhere else, advise users to create a Standard user and work primarily in that account. The word “consider” doesn’t mean “you should”. I have considered exactly this issue in my article above, and it’s a matter of personal preference. The claim that working as a Standard user rather than an Admin depends entirely on how you behave. Malware can just as well prompt a Standard user to enter the Admin user’s name and password, and if you do that often and habitually in order to function as a Standard user, then there has been nothing gained – the point that I make above.
      Howard.
      
      LikeLike
    - 41
      
      Abe on February 9, 2023 at 6:37 pm
      
      Thank your for your answer, Howard. You are very right, my english is not good enough so I thought it was Apple’s advice to stay safe. Your article is very convincing and I will revert to a single admin account.
      
      LikeLiked by 1 person
    - 42
      
      hoakley on February 9, 2023 at 10:07 pm
      
      Your English is excellent. I think it’s more important that you are comfortable in the way that you work, and can remain alert against phishing attacks and the like. I’m happy to do that as an Admin user.
      Howard.
      
      LikeLike
43

Gord L. on January 29, 2023 at 3:32 am

Thank you, as always, for the detailed and helpful guide, Howard. I have bookmarked it for future reference (as I’ve done with dozens of your blog entries).

Could you perhaps elaborate on bullet point #1: “Never delete the primary admin account”… not even if I first use it to create another admin account?

I personally live in an admin-level account day-to-day, personalized with my own name—which was the first account ever created on this Mac. I’m planning to soon pass along this computer to a friend (after I’ve migrated everything over to my newer Mac of course). My plan of action before passing it off was to create a new “Admin” account, then use that account to delete the original admin account, the one in my name. (Then I will create a standard account for my friend’s day-to-day use.) This way I can keep some useful freeware apps and screensavers etc. installed, without having to go through the process of reinstalling all of them for my friend.

What are the potential drawbacks of this approach?

Thanks.

LikeLiked by 1 person
- 44
  
  hoakley on January 29, 2023 at 7:53 pm
  
  Thank you.
  I strongly discourage you from trying this when handing a Mac on, as it will still contain ample private data.
  I have two articles explaining what you should do. This is aimed at Intel Macs without T2 chips, and this at all more recent models, either with a T2 or Apple silicon chip.
  Howard.
  
  LikeLike
  - 45
    
    Gord L. on January 30, 2023 at 4:22 am
    
    Thanks for the very helpful articles. Two more bookmarks to add to the pile. This site truly is essential for serious Mac/Apple users.
    
    LikeLiked by 1 person
    - 46
      
      hoakley on January 30, 2023 at 6:20 am
      
      Thank you.
      Howard.
      
      LikeLike
47

markbot2zero on January 30, 2023 at 2:41 am

Thank you, Howard.

And the reason why the primary user account should never be deleted (even if you’re not giving the Mac away) is covered by your article here:

https://eclecticlight.co/2016/05/11/the-501-orphan-problem-why-you-shouldnt-delete-the-primary-admin-user/

Alas, our accounts have names but deep down, macOS mainly sees us as numbers. To see what number you are on a Mac, open up Terminal.app and at the command line prompt type:

id

(kind of Freudian, that) and hit the Enter key. The ensuing text dump will likely start with:

uid=501

The vast majority of Mac users are undoubtedly 501s, that being the number which macOS assigns to the default Admin account (and for most Macs, probably the only account) set up when the Mac was new.

New accounts are, are I believe, incremented by one, so the second account on a Mac will be 502, the third 503, and so on. These can be deleted no problem, but not that initial 501 Admin account — as the article above makes clear.

-Mark

LikeLiked by 1 person
- 48
  
  hoakley on January 30, 2023 at 6:20 am
  
  Thank you, Mark.
  Yes, you’re correct: as you add new accounts, their UID increases by 1, whether standard/normal or admin accounts. The ‘missing 501 account’ is a notorious problem. It’s not insoluble, but exceedingly tedious to address.
  Howard.
  
  LikeLike