Display Login Window as Name & Password

[doubledee]

On my new cMBP, while logged in as an Admin, under User & Groups I have this checked...

Display login wondow as: Name and Password

Yet when I boot up, I am presented with two user account icons (e.g. User1, User2).

I do NOT want the Usernames/Icons to show, because that is giving away half of the login!!

I want it so you get a form asking for Username and then a second field asking for Password.

What is wrong?!

(I turned on FileVault 2 and have one Admin account and one Standard account.)

Sincerely,


Debbie

 

[Weaselboy]

I do NOT want the Usernames/Icons to show, because that is giving away half of the login!!

I want it so you get a form asking for Username and then a second field asking for Password.

I don't believe there is a way to do what you want.

 

[Knoodles]

In users and groups, change login options to a list of users. Both fields should now be blank. You then need to know the user name and password.

 

[Weaselboy]

In users and groups, change login options to a list of users. Both fields should now be blank. You then need to know the user name and password.

I am on ML 10.8.4 and with that setting enabled I get an icon for each user with their "Full Name" listed below the icon. If you click the icon a PW field is displayed. There is no second field for the user name.

 

[Knoodles]

On 10.8.4 here too and I get a blank user name and password field with no icon.

This is weird. Now if I set it to name and password the fields are blank with no icon. Maybe I had it backwards?

Must of had it backwards. Works I think the way she wants if you use system preferences to change login options to user and password.

 

[Weaselboy]

On 10.8.4 here too and I get a blank user name and password field with no icon.

This is weird. Now if I set it to name and password the fields are blank with no icon. Maybe I had it backwards?

Yep... that's it. "name and password" is what OP is after. I just tested it.

I was thinking ass backwards also.

 

[Knoodles]

OP claims to have that option checked. I wonder why it's not working for her?

 

[Weaselboy]

OP claims to have that option checked. I wonder why it's not working for her?

Dunno.

I know she has Filevault on, but so do I. I enabled a second, standard account and logged out and all I get is a blank screen with the two fields as you described.

 

[doubledee]

Dunno.

I know she has Filevault on, but so do I. I enabled a second, standard account and logged out and all I get is a blank screen with the two fields as you described.

I switched Display login window as: from Name and password to List of users and that doesn't do anything.

It gives me...

Icon1
Username1

Icon2
Username2

If I click on Username2, I then see...

Icon2
Usename2
Prompt for Password

And if I switch back to List of users, then when I boot up it is more of the same...

Icon1
Username1

Icon2
Username2

If I click on Username2, I then see...

Icon2
Usename2
Prompt for Password

This isn't a major deal, but it is a PITA and a low-level security issue which I'd like to fix.

Any other ideas what is wrong?

Sincerely,


Debbie

 

[Mr Rabbit]

This is the way that FileVault works in 10.8.4, as tested on a freshly imaged MacBook Pro.

Basically FileVault overrides the normal login screen. Notice how you're greeted with the login prompt before the system actually loads? With FileVault disabled the boot process is:

• Power on Mac
• POST chime
• Gray screen
• Apple Logo
• Spinning gear appears under Apple logo
• Spinning gear disappears
• Login screen appears if autologin is disabled

With FileVault enabled the process changes slightly:

• Power on Mac
• POST chime
• Gray screen
• Apple logo with login prompt (icon, username, blank password field)
• Apple Logo
• Spinning gear appears under Apple logo
• Spinning gear disappears
• User profile loads & desktop appears

Basically you're having to authenticate earlier in the boot process in order to decrypt the disk/system in order for it to boot. I doubt it's a bug as Apple likes to keep things simple for end users, forcing them to authenticate twice before reaching the desktop would be against their general ideas. Seems like they would include an optional setting under Security & Privacy > Advanced or Security & Privace > FileVault to force the second login window or enable the same "name and password" setting as the normal login window but as of right now there isn't a way to do it through the GUI. A preference file hack might be possible to enable that but to be honest I really am not sure.

Send them some feedback, maybe such an option could still make it's way into 10.9 Mavericks!

 

[Weaselboy]

I have discovered why the discrepancy in what we are seeing.

If you set the login prefs to "Name and password", then restart you will see the same icon with the user name already filled in and just the blank PW field as if you left the option set to "List of users".

However, with the same "Name and password" option, if you just logout (not restart) you will see the screen like you wanted with no icon or user name and just a blank for the username and PW (photo below).

So to get the behavior you want just logout and don't shutdown/restart.

 

[doubledee]

So to get the behavior you want just logout and don't shutdown/restart.

That doesn't accomplish what I want.

I guess this isn't a major deal, but I don't like the pre-boot advertising which User Accounts have rights to unlock the encryption...


Debbie

 

[Mr Rabbit]

So to get the behavior you want just logout and don't shutdown/restart.

The problem though is that Filevault has already unlocked the disk at that point, defeating it's purpose until the Mac is rebooted. With that said I'm not sure how someone would run a cracking process (aside from physical brute force attack) without being logged in or having access to single user mode, but it is a bit disconcerting.

Again, I would encourage anyone affected by this workflow to file feedback with Apple. They do listen and if it's a common enough (i.e., more than a handful of requests) request then it could very well still make it's way into Mavericks this Fall.

http://www.apple.com/feedback/macosx.html

 

[Weaselboy]

The problem though is that Filevault has already unlocked the disk at that point, defeating it's purpose until the Mac is rebooted. With that said I'm not sure how someone would run a cracking process (aside from physical brute force attack) without being logged in or having access to single user mode, but it is a bit disconcerting

I understand that, and I agree that hypothetically just being "logged out" is not as secure as turned off. But that said, as a practical matter I don't see how even from the logged out state a hacker would go about getting in anyway.

With FV2 on a single user mode boot will stop and ask for an admin PW, so that avenue is blocked.

 

[doubledee]

The problem though is that Filevault has already unlocked the disk at that point, defeating it's purpose until the Mac is rebooted. With that said I'm not sure how someone would run a cracking process (aside from physical brute force attack) without being logged in or having access to single user mode, but it is a bit disconcerting.

Again, I would encourage anyone affected by this workflow to file feedback with Apple. They do listen and if it's a common enough (i.e., more than a handful of requests) request then it could very well still make it's way into Mavericks this Fall.

http://www.apple.com/feedback/macosx.html

I am doing that now.

BTW, how do I update from 10.8.3 to 10.8.4??


Debbie

 

[Mr Rabbit]

I am doing that now.

BTW, how do I update from 10.8.3 to 10.8.4??


Debbie

It's available under the Apple menu..

> Software update

This will launch the App Store and switch over to the Software Update section, where after several seconds you should see any available updates.

----------

But that said, as a practical matter I don't see how even from the logged out state a hacker would go about getting in anyway.

One could still enter the UNIX terminal using the old ">Console" trick at the login window but AFAIK they'll still be prompted to authenticate as soon as the console loads. It seems pretty secure but again, I cant help but wonder if theres a way around it without forcing a reboot.