If you’ve been using FileVault from the time you set up your Mac, that encryption is extremely strong, and erasing the drive deletes the passphrase-protected encryption key. That makes the contents effectively irretrievable, and no additional erasure is needed for an SSD or HDD. If you didn’t use FileVault, here are your options.
Unless you’re dealing with secrets that would lead to the overthrow of governments, using Disk Utility’s secure erase feature meets the mark. HDDs can also be physically destroyed with a drill equipped with a bit suitable for puncturing the metal casing. A hammer and chisel could work, too. If you have a dead HDD and if you think anyone with motivation might pay to have the data recovered, physical destruction is the only way to ensure data isn’t readable.
Data is written in an unpredictable fashion on SSDs to distribute the wear across all the memory cells in the solid-state device. As a result, a secure erase feature doesn’t work at all, as it may not overwrite all the data. Physical destruction is really the only course of action, which is an unfortunate waste of technology. And if you have a Mac in which the SSD isn’t removable, but part of the computer, that’s even worse.
Fortunately, the various kinds of RAMs used by generations of Macs are all volatile memory: the contents disappear instantly or shortly after a device is powered down. So far, there’s no way to recover any traces of data from RAM chips.
Apple has today launched its new Data and Privacy website, allowing Apple users to download everything that Apple personally associates with your account, from Apple ID info, App Store activity, AppleCare history to data stored in iCloud like photos and documents. This is currently only available in European Union, Iceland, Liechtenstein, Norway, and Switzerland to comply with GDPR, but will roll out worldwide in the coming months.
The new online tools allow customers to get a copy of all data associated with an Apple ID. You can request account details and sign-in records and data such as contacts, calendars, notes, bookmarks, reminders, photos and documents. Apple also stores info like app usage statistics for Apple Music and Game Center, a purchase history of items bought from the App Store and iTunes Store, AppleCare support history and marketing records.
Only data that is personally identifiable can be found here. This can all be downloaded with a few simple clicks on the privacy portal. To obtain a copy of your data:
1. Log in to privacy.apple.com.
2. Select the "Get started" link under the "Get a copy of your data" heading.
3. Tick the boxes of the categories of data you want to download (iCloud Photos, Mail and Drive are separated into a separate list as this data may be exceptionally large).
4. Press Continue.
5. Select what is your preferred maximum file size (Apple will split up the data into chunks, up to a maximum of 25 GB) and press Continue.
Your data request is now in progress. Data like iCloud Photos will take a long time to generate as there are potentially tens of gigabytes of files. It can take up to a week to prepare the downloads. Apple notifies you when the data is ready to download, and it is automatically deleted after 2 weeks.
Apple says it provides all data in standards-compatible formats. This means it can be used as a way to move all your data to a new cloud service, as well as transparently showing customers what data Apple keeps on you.
Whilst these features will roll out later in the year for other regions, all customers can request data corrections, deactivate or delete their account. You can do this by following the links on the main page.
Deactivation means that Apple will stop processing any data relating to your Apple ID. You will not be able to access any store purchases from iTunes, iBooks or the App Store. You will not be able to access any iCloud data, or use iCloud services like FaceTime or iMessage (see here for more conditions about account deactivation). You are literally cutting yourself off from the Apple connected world. Apple will verify all deactivation requests to prevent abuse. Apple doesn’t delete your info, it just stops anyone - including Apple - from accessing it whilst the account is deactivated. You can re-enable the account by logging back in to the privacy portal and choosing to reactivate it.
Permanent deletion takes this one step further, essentially asking Apple to remove all data they have stored on you - forever. This process is not reversible once initiated.
Mac users in higher security risk situations may wish to enable an optional firmware password on their machines, which offers an advanced level of protection. In short, a firmware password is a lower level layer of security that is set on the actual Mac logic board firmware, rather than at the software layer like FileVault encryption or the standard login password.
The result of setting an firmware password is that a Mac can not be booted from an external boot volume, single user mode, or target disk mode, and it also prevents resetting of PRAM and the ability to boot into safe mode, without logging in through the firmware password first. This effectively prevents a wide variety of methods that could potentially be used to compromise a Mac, and offers exceptional security for users who require such protection.
Like any other essential password, use something memorable but complex, and do not forget a firmware password after it has been set. A lost firmware password is unrecoverable on most modern Macs without a visit to an Apple Store for service and recovery.
Setting a firmware password is rather simple.
• Start up from macOS recovery mode by holding down Command (⌘)-R immediately after turning on your Mac. Release the keys when you see the Apple logo.
• When the utilities window appears, choose Utilities > Firmware Password Utility from the menu bar. On iMac Pro, choose Startup Security Utility instead.
• Click Turn On Firmware Password.
• Enter a firmware password in the fields provided, then click Set Password.
• Quit the utility, then choose Apple () menu > Restart.
The firmware password will not appear during a regular restart or boot of the Mac, it only becomes mandatory when the Mac is attempted to boot from alternate methods. This may be in situations where a Mac is attempted to boot from an macOS installer drive, an external boot volume, recovery mode, single user mode, verbose mode, target disk mode, resetting the PRAM, or any other alternative booting approach that will summon the rather plain looking firmware password window. There are no password hints or additional details provided, only a simple lock logo and a text entry screen. An incorrectly entered firmware password does nothing and offers no indication of login failure except that the Mac won't boot as anticipated.
To reset a login password in OS X Mountain Lion or later, restart the Mac and hold down Command-R to boot into the Recovery HD partition. From the Utilities menu, choose Terminal to open it. In Terminal type:
and press Return.
In macOS Sierra and macOS High Sierra, an Reset Password assistant will launch. Choose the user account or admin account you want to reset the password for. Enter a new password, confirm the new password, set (if you like) a password hint and then click on "Next" to set the new password for the account in question. Choose to "Restart" the Mac and when the Mac boots up, use the newly reset password to login to the computer.
In OS X Mountain Lion, OS X Mavericks, OS X Yosemite and OS X El Capitan, a Reset Password window will appear that will list all the bootable volumes attached to your Mac. Select the volume that contains the account you want to reset and choose the user name that needs its password reset. Enter and verify a new passwords in the appropriate fields and, if you like, enter a password hint. Click Save and the new password is applied to the account.
The Mac is generally considered to be safe and secure, and there are a number of reasons why Macs are considered more secure than PCs. Malware writers are less likely to target Mac users because of the perception that it has a far smaller market share than Windows. There is also the fact that the Mac operating system is Unix-based, and Unix offers a number of security features built in.
Apple goes to great lengths to protect you from malware by making it impossible for you to download it in the first place. The company has built-in antimalware protection in macOS. The Mac's malware scanning tool, Xprotect, works invisibly and automatically in the background and requires no user configuration. Apple has a list of malicious applications that it checks against when you open downloaded applications. Updates happen invisibly too. This is similar to having antivirus software from another software developer running on your Mac, with the bonus of being written into the operating system and therefore it doesn't hamper the speed of your Mac. If you download and try to open files contaminated with malware, you may see an explicit warning that the files will "damage your computer", along with a reference to type of malware. You should delete the file immediately.
In addition, macOS blocks downloaded software that hasn't been digitally signed - a process in which Apple approves the developer. This leads to the familiar error message when you try to use or install unsigned software: "[this app] can't be opened because it is from an unidentified developer.". The system at work here is called Gatekeeper and can be controlled via the Security & Privacy section of System Preferences. In addition to Gatekeeper, which should keep malware off you Mac, FileVault 2 makes sure your data is safe and secure by encrypting it.
It's certainly not an essential requirement to install antivirus software on your Mac. Apple does a pretty good job of keeping on top of vulnerabilities and exploits and the updates to the MacOS that will protect your Mac will be pushed out over auto-update very quickly. However, sometimes Apple doesn't respond as quickly as Mac users might hope. In that case there are some free anti-virus apps (such as Sophos Anti-Virus for Mac Home Edition or ClamXav) that might give you some peace of mind.