User profile for user: sahildabhilkar
sahildabhilkar Author
User level: Level 1
4 points

Security Concern: Lack of Brute-Force Protection After Logout or Sleep

Hello Apple Community,

I recently reported a potential security issue in macOS Sequoia 15.3.2, where there are no brute-force protections after logout or sleep. When I raised this as a bug, I was told:

“The behavior you’re seeing is exactly what we expected.”

However, this creates a serious design flaw that makes brute-force attacks much easier under common usage patterns.


How This Creates a Security Risk

Apple enforces escalating time delays and attempt limits when a Mac starts up, helping prevent brute-force attacks. However, once a user has logged in, these protections are no longer enforced. This means that if a Mac is logged out or put to sleep, an attacker can attempt unlimited passwords without restriction.

This is particularly concerning because most Mac users don’t shut down their devices—we simply close the lid and put the Mac to sleep. In this case, the device is vulnerable to unlimited password attempts. Anyone with physical access to a locked Mac in this state (e.g., in an office, coffee shop, or airport) could use a brute-force method to guess the password without facing any time delays or lockouts.

Apple’s own documentation acknowledges this behavior:

“To help prevent malware from causing permanent data loss by trying to attack the user’s password, these limits aren’t enforced after the user has successfully logged in to the Mac, but they are reimposed after a restart.”

This approach prioritizes preventing accidental user lockouts over preventing unauthorized access, but it also introduces a significant security risk. Since closing the lid or logging out does not reimpose brute-force protections, it effectively allows an attacker to enter unlimited password attempts until the next restart.

If macOS treated logout and sleep the same way it treats a full restart, this vulnerability wouldn’t exist. But in its current state, the Mac is only fully protected against brute-force attacks when it has been restarted, which is not how most people use their devices.


Should Apple Reconsider This as a Security Bug?


Given the security implications, should Apple reconsider this behavior as a bug rather than an intentional design choice? Shouldn’t brute-force protections be reimposed immediately after logout or sleep, rather than only after a restart?

Would it make sense for Apple to introduce a security option allowing users to enable brute-force protections after logout or sleep, similar to how they are enforced at startup?

I’d love to hear what the community thinks about this. Is this something Apple should address, or is there another perspective on why this behavior is acceptable?



[Edited by Moderator]

Posted on Mar 25, 2025 10:30 AM

Reply
Question marked as ⚠️ Top-ranking reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
118,866 points

Posted on Mar 25, 2025 3:42 PM

I didn’t get very far, so maybe this isn’t unknown to you, but you can enable password restrictions with an MDM profile.

There is a large number of people who either don’t have a password at all or have auto login enabled. I doubt many people want to wait 10 hours if they mistype their password several times.

View in context
17 replies
Sort By: 
Question marked as ⚠️ Top-ranking reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
118,866 points

Mar 25, 2025 3:42 PM in response to sahildabhilkar

I didn’t get very far, so maybe this isn’t unknown to you, but you can enable password restrictions with an MDM profile.

There is a large number of people who either don’t have a password at all or have auto login enabled. I doubt many people want to wait 10 hours if they mistype their password several times.

Reply
User profile for user: Zurarczurx
Zurarczurx
User level: Level 4
2,470 points

Mar 25, 2025 4:10 PM in response to sahildabhilkar

A successful brute-force attack via manually typing on a keyboard for a password for which you don't even know the number of characters isn't going to happen. The keyboard would probably fail before anyone got it right. However, if you really care about it then all you have to do is turn off the Mac before you close the lid. Shoulder surfing is protected by the fingerprint scanner - unless, of course, you force the password by turning the Mac off before you close the lid.


Have a look at the pmset command which allows you mess about with the hibernation mode and timings which might allow you to have the Mac turn off a set period after you close the lid.


Or, if it bothers you that much, don't buy a Mac.

Reply
User profile for user: IdrisSeabright
IdrisSeabright
User level: Level 10
176,891 points

Mar 26, 2025 6:38 AM in response to sahildabhilkar

sahildabhilkar wrote:

Curious if others see this as a concern too!

Theoretically? I guess. Practically? No. While getting hit on the head by a large chunk of space debris would be awful, the actual likelihood of that happening is very small.


The major danger people face is not brute force attacks to their password. It's falling victim to increasingly sophisticated phishing scams.

Reply
User profile for user: sahildabhilkar
sahildabhilkar Author
User level: Level 1
4 points

Mar 26, 2025 6:07 AM in response to Barney-15E

Thanks for your input! I understand that MDM can enforce password restrictions, but that only helps managed devices. Most regular users don’t have access to MDM, so this remains a security gap for the majority.


As for long lockout times, Apple could offer a middle ground—such as optional brute-force protections or escalating delays after sleep/logout, similar to what’s enforced at startup. Right now, anyone with physical access can attempt unlimited passwords, which feels like an oversight.


Would love to hear your thoughts on that!

Reply
User profile for user: sahildabhilkar
sahildabhilkar Author
User level: Level 1
4 points

Mar 26, 2025 6:14 AM in response to Zurarczurx

I appreciate your perspective, but I respectfully disagree.


Brute-force attacks aren’t always manual—attackers can use external keyboards or automated tools to speed up attempts. Plus, macOS itself doesn’t enforce any delays after sleep/logout, making it easier than it should be.


While shutting down the Mac is a workaround, that’s not how most people use their devices. A security feature shouldn’t rely on user habits—it should be designed to protect users by default.


Also, an attacker doesn’t have to be a hacker—it could be a family member, a roommate, or a colleague who has an idea of what your password might be. If they get unlimited attempts, they could easily guess it over time.

Wouldn’t it make sense for macOS to offer an optional security setting to reimpose brute-force protections after sleep/logout?

Reply
User profile for user: sahildabhilkar
sahildabhilkar Author
User level: Level 1
4 points

Mar 26, 2025 6:22 AM in response to MartinR

Thanks for the suggestion! However, I didn’t report this through Apple’s feedback system because this isn’t just a feature request—it’s a security bug that allows unlimited password attempts after logout or sleep.


Compared to other operating systems like Windows, which introduce a time delay after 5–6 failed attempts even after logout or sleep, macOS lacks this protection. That means anyone with physical access can keep trying passwords without restriction, which seems like a design flaw rather than an intentional feature.


This should be considered a security issue, not just feedback. Curious if others see this as a concern too!

Reply

Security Concern: Lack of Brute-Force Protection After Logout or Sleep

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up