James Philp said:
It is unheard of that someone has hacked a Mac from a remote site without the user giving them (manually) an administrator password as far as I know.
Not true at all. There are a variety of attack vectors. Unpatched apache, ssh, OS pieces, etc. It's definitely happened. Unfortauntely, the easy of setting up OS X and some of it's nicer services makes it a rich target for attack. Grandma Jones doesn't know or care about security, but she does want to show those pictures of her grandchildren on her website!
My problem with the whole market share thing is yes, Windows is a riper target. Yes, Mac OS X has a significantly smaller market share. But we're talking about 10s of millions of Mac OS X boxes out there! If a hacker wanted to hit a Mac, there's plenty to choose from. It might take you a little longer to find one, but they are there.
You can follow all sorts of "best practices" to protect yourself, but if malicious dude A has physical access to your comptuer (no matter what flavor it is), you are in danger. End of story.
As for needing root to change passwords, naah..
Single User Mode -> use niutil to change the password properties. That should work, no?
Good time to use the OF Password!