1

I have two accounts on my Mac: a standard user account for everyday activities and an administrator account. When I need to do something that requires the admin rights like changing something in the System Preferences or executing a terminal command I just enter my admin credentials and don't switch the account.

I am curious, is it possible for a keylogger that was installed in the scope of my standard user (without admin privileges) to record the admin password when I need to type it with su and sudo commands in the terminal or in the System Preferences popup? And do much bigger harm to my system possessing the administrator password? Is my reasoning correct here? Or installing a keylogger without admin rights isn't possible in the first place. If such malware was indeed installed in the system, will I be able to see it in the Security & Privacy -> Input Monitoring/Accessibility?

Generally speaking, is it secure to always type your admin credentials when you are logged in as a standard user, compared to switching to the admin account completely every time? Thanks!

Improve this question

2 Answers 2

Reset to default
2

There are a lot of side questions in your first version of the post, but at a high level, keyloggers can capture pass phrases, if the software is clever. But it may be a chicken and egg situation since malware may not need admin if it’s already installed and persistent.

Cleverly designed malware will nab your credentials, exfiltrate them and then uninstall itself before you might catch it. The crude ones, you likely can catch with “their hands in the cookie jar” more easily.

Have a look at tools like ReiKey if you want to learn more how keylogging works on a technical level on macOS or be alerted when this could be happening.

Improve this answer
1
  • Thanks a lot for answering. it's exactly what I was looking for. I will definitely check all the resources that you provided. BTW I have another related question, and I hope the last one) regarding macOS & admin credentials security maybe you will be interested to check it out as well: superuser.com/questions/1632014/… Thanks!
    – Nick
    Commented Mar 11, 2021 at 13:38
1

If a keylogger program is installed in the user scope without being given extra permissions, it cannot log passwords entered in the system dialogs.

However, if the keylogger already has administrative permissions that include the specific capability for accessibility input monitoring - then it can.

And of course, if there is a weakness (bug) on macOS that the keylogger exploits to gain such permisssion, then it would also be possible for it to log such passwords. However in that case, it is likely the malware could get administrative permissions entirely without knowing your password.

Improve this answer
4
  • But what about the case where you enter your admin password in the terminal with su and after with sudo commands? Does the OS protect them the same way as the system dialogs?
    – Nick
    Commented Mar 15, 2021 at 6:37
  • 1
    All Windows are by default protected from being monitored.
    – jksoegaard
    Commented Mar 15, 2021 at 6:57
  • Thanks! So, generally, there is no point in switching to the administrator user to do a privileged action from the security perspective and it's okay to do it via credentials prompt in the standard user, right?
    – Nick
    Commented Mar 15, 2021 at 7:12
  • 1
    Yes..............
    – jksoegaard
    Commented Mar 15, 2021 at 7:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .