Repair Permissions

For many years, if you were to visit Mac discussion forums and news sites, you’d see repeated recommendations to use Disk Utility’s Repair Disk Permissions feature. Some people recommended repairing permissions on a daily basis, or before and after every software installation, or as a first troubleshooting step when any sort of problem arose. Anecdotes abounded about the magical curative (or prophylactic) properties of this feature, so it achieved a mythical status—in much the same way rebuilding the desktop file was a standard cure-all under Mac OS 9.

In 10.11 El Capitan, Apple removed the Repair Disk Permissions feature from Disk Utility. Instead, permissions are now repaired automatically when you install software using Apple’s installer. So if you’re running El Capitan or later, there’s nothing to see here; move on to Defragment Your Hard Disk.

What about those still running 10.10 Yosemite or earlier? Isn’t it still a good idea to repair your permissions? At the risk of being labeled a heretic, I’d like to suggest that in most cases repairing permissions is nothing more than a placebo. True, the procedure can solve certain problems in Yosemite and earlier, and rarely does any harm, but as a routine maintenance task, I consider it a waste of time. To explain why, I should provide a bit of background.

In OS X, each file contains information specifying which users (or parts of the system) can read it, modify it, or execute it. This information is collectively known as permissions. If a file has incorrect permissions, it can cause apps to misbehave in various ways, such as crashing or failing to launch.

Ordinarily, installers set the correct permissions for the files they install, and the permissions stay that way permanently. However, a poorly written installer can mess up permissions—even for files it did not install—and if you use Unix commands such as chown and chmod, you can accidentally set files’ permissions incorrectly. These sorts of problems occur infrequently, but they do occur.

The Repair Permissions feature looks for certain software installed using Apple’s installer, which saves files called receipts that list the locations and initial permissions of all the files in a given package. Repair Permissions compares the current permissions to those in the receipts and, if it finds any differences, changes the files back. The command ignores software installed in other ways (using a different installer or drag-and-drop installation, for instance) and knows nothing about permission changes you may have made deliberately.

Although I said earlier that some kinds of disk problems can occur without any provocation (see the sidebar Why Do Disk Errors Occur?), permissions don’t go out of whack all by themselves; you (or software you install) must do something to change them. And not all changes are bad; in many cases, a file’s permissions can be different from what they were originally without causing any problems. So repairing permissions makes little sense as a regular activity.

For those running Yosemite or earlier, I do, however, recommend repairing permissions as a troubleshooting step if (especially right after installing new software) you find that an app no longer launches or that it produces inexplicable error messages.

To repair permissions in Yosemite and earlier, follow these steps:

1. Open Disk Utility (in /Applications/Utilities).

2. Select a volume in the list on the left.

3. In the First Aid view, click Repair Disk Permissions.

Disk Utility resets the permissions of files installed using Apple’s installer.

Defragment Your Hard Disk

As you use your Mac, your files gradually become fragmented into smaller segments scattered across your disk. Some people consider this a serious problem and go to great lengths (and expense) to correct it. Before worrying about fragmentation, you should understand how and why it happens—and what the real-world consequences are.

Pretend, for the sake of illustration, that your hard disk consists of exactly ten blocks and that it initially contains five small files (A, B, C, D, and E), each of which takes up exactly one block. Your disk looks tidy and clean, something like this: ABCDE_⁠⁠⁠.

If you delete files B and D and add a couple of new files, F and G, your disk looks like this: A_C_EFG_⁠_⁠_. If you then add a file H that’s twice as big as the others, the drive puts it at the end, like so: A_C_EFGHH_. Now file G grows to two blocks in size. There being too little space between F and H, G must split into two segments: A_C_EFGHHG. Finally, if you add file J and delete file F, your disk looks like this: AJC_E_GHHG.

Now imagine this happening with hundreds of thousands of files of different sizes. Some tiny files might occupy just one block, while some huge ones may occupy millions of blocks. The more you read and write files, the more jumbled the data becomes: individual files split into numerous noncontiguous chunks, and lots of small, empty spots where other files once lived. That’s fragmentation: the normal state of your hard disk!

Ordinarily, you never notice fragmentation, because macOS keeps track of which parts of which files are where and automatically reassembles or disassembles them as needed. With modern hard drives, this process goes so fast that it’s normally imperceptible. Further, macOS includes automatic background defragmentation of smaller (less than 20 MB) files, so that although files may not be contiguous with each other, at least most of them are in one piece.

But a problem occurs when you have apps that must read or write massive amounts of information in real time, such as audio or video recording and editing apps. When these large files become fragmented, the drive’s read/write head must physically zip back and forth over the disk to get all the segments, and sometimes the rate at which it does the zipping is too slow to keep up with the amount of data being saved or read. Unfortunately, the results can include gaps in the data, stuttering, or slow app performance.

For ordinary users, defragmentation is a waste of time unless the fragmentation is extraordinarily severe (as evidenced by long delays in opening and saving files). But if you use high-end audio or video apps regularly, occasional (say, monthly) defragmentation is worthwhile. In addition, disks that are nearly full tend to fragment files more than disks with lots of empty space, and it’s more difficult for macOS to defragment an almost-full disk. Several utilities pick up where macOS leaves off, performing thorough defragmentation and making sure all empty space on the disk is contiguous, to squeeze every last bit of performance out of your drive. But be aware of these caveats:

• The process is quite slow—and if you’re defragmenting large disks, your computer could be effectively out of commission for many hours, or even days.

• Defragmentation is somewhat risky, since it involves deleting and rewriting almost every file on your drive. A good backup is always essential before undertaking defragmentation.

• As a reminder, you should never defragment an SSD, as this not only won’t speed it up but can even reduce its life span.

Two utilities that include defragmentation capabilities are Drive Genius and TechTool Pro.

Make Sure Scheduled Maintenance Tasks Run

macOS includes a tiny Unix utility called periodic that performs a variety of scheduled cleanup tasks, such as deleting or compressing old log files and generating reports about system usage. Once a day, periodic is supposed to run “daily” tasks; once a week, “weekly” tasks; and once a month, “monthly” tasks. (These names are more or less arbitrary; if, for example, you ran the monthly tasks every week, no harm would result.) The periodic program doesn’t launch itself, though; running it at the proper times is the job of another program, called launchd. Apple set the launchers to run the scripts in the middle of the night, so they wouldn’t slow down other things your Mac might be doing.

If your Mac is off or asleep at the scheduled time (as it is for most of us), the scripts can’t run when they’re supposed to, so launchd attempts to run the scripts later. If your Mac is asleep at the time that these scripts are supposed to run, launchd usually runs them as soon as you wake your Mac up. However, the scripts don’t run if they missed their scheduled execution because your Mac was turned off.

In short, unless you leave your Mac on overnight, the periodic command may need help to do its thing. Numerous apps let you run the maintenance scripts manually at any time or, in some cases, to schedule them for times you know your Mac will be available.

But you probably don’t need to use any of them.

I say this mainly because the tasks the periodic scripts perform are mostly trivial. The old files these scripts delete or compress tend to be pretty small; there’s little practical benefit to erasing them. And the one periodic function I found useful years ago (updating the database used by command-line locate command) has since been moved to a different, more reliable process.

If you’re determined to run these scripts, however, you can do so using utilities such as CleanMyMac, Cocktail, MainMenu Pro, and OnyX, all of which offer numerous other useful capabilities too.

Install Anti-Malware Software

If this book were about PC maintenance, one of the first steps would have been to install anti-malware software. For Windows users, malware (malicious software) has become epidemic in recent years, leading to untold grief and loss of time, money, and data. Among the types of malware are viruses (and their relatives worms and Trojan horses), spyware (apps that spy on your computer usage, collecting sensitive personal data), and pop-up ad apps. Luckily, far less malware runs on macOS than on Windows.

Although Mac users have been reasonably fortunate so far (partly because Apple has built multiple anti-malware features into macOS), Macs are by no means immune to infection. There have been a few widely publicized incidents of destructive Mac malware in the wild, and there will certainly be more.

However, despite these outbreaks, I don’t currently make a blanket recommendation to use anti-malware utilities. I’m not saying such software is an unqualified bad idea for Mac users, but I also don’t think every Mac user would be better off installing it.

My current thinking about anti-malware software for the Mac is:

• Because there’s comparatively little Mac malware out there, most Mac users will never encounter any, regardless of what they do.

• For what malware there is, common sense is the best defense. Turn on your firewall (in System Preferences > Security & Privacy), stay away from unsavory websites (particularly those trafficking in pirated movies, TV shows, music, and software; porn; and gambling), and don’t click links, or open enclosures, in email messages from unknown sources.

• Use a password manager (see Update Weak Passwords) to generate strong passwords and fill them in for you automatically. Password managers won’t autofill your passwords on counterfeit sites, reducing the likelihood that you’ll fall for a hoax or scam that exposes you to malware.

• Keep your copy of macOS—including any security patches—as up to date as possible.

• Apple’s System Integrity Protection (SIP) security feature prevents malware from damaging critical files, but I’ve seen several apps and websites that encourage users to disable it (a procedure I’m not going to document here)—usually in order to run an app that does something against Apple’s security rules. Please don’t disable SIP! It’s there for your protection, and if you turn it off, even temporarily, bad things can happen.

• Some Mac anti-malware software is intrusive and hinders performance, and some is of questionable efficacy.

• Most Mac users can save money, and enable their Macs to run faster and more efficiently, by abstaining from anti-malware software—without incurring any significant risks.

• Every rule has its exceptions! People who should install anti-malware software on their Macs include those who are obligated to do so (because of an employer’s rule or a legal requirement), who don’t keep their Macs up to date with Apple’s system and security updates, who choose to disable macOS security features, or who engage in high-risk behaviors such as sharing pirated files.

If you do decide to run anti-malware software, or if you’re required to use it, the following are examples of Mac anti-malware software that are available to individual users (some others, designed for corporate use, are available only in quantity):

• Avast Security for Mac

• Avira Free Antivirus for Mac

• Bitdefender Antivirus for Mac

• ClamXav

• Comodo Antivirus for Mac

• F-Secure SAFE

• Intego VirusBarrier (part of Intego Mac Internet Security)

• Malwarebytes for Mac

• Norton Security

• Panda Antivirus for Mac

• Sophos Home

Of these, I’ve read the most favorable comments about ClamXav and Malwarebytes for Mac, so if you’re having a hard time choosing, I’d look at one of those first. But remember, the most important question about any such app—even before considering performance and usability—is how effectively it protects you from the next malware to appear, the one nobody has seen yet. Unfortunately, this can’t be tested, except in retrospect.

Change Your Passwords

In a much earlier edition of Take Control of Maintaining Your Mac, I recommended changing your passwords once a year. Now, quite a few years and a great deal of research later, I no longer think that makes sense, and I’ve thus moved this task here among other activities you can safely avoid (except in specific situations, as I explain ahead).

To see why, let’s walk through a hypothetical sequence of events (using, incidentally, extremely weak passwords that you’d be ill-advised to use in real life). For this example, we’ll suppose you change your password every three months—more often than I suggested but nevertheless a common recommendation:

1. Let’s say that on January 1, your password for a certain website is newyear.

2. After three months, you change it. On April 1, it’s foolme.

3. Oh no! Sometime between April 1 and July 1, when you would have next changed your password, the bad guys hack the site and steal your current password. Havoc ensues.

4. When the site informs you of the security breach, you change your password again, but the damage has already been done.

In this sequence, your password change on April 1 does no good, and neither would the change you would have made on July 1, because the attack occurs in between changes. With me so far?

In order for an attack to be successfully thwarted by a password change, the sequence would instead have to look something like this:

1. On January 1, your password for a certain website is newyear.

2. Uh oh! Sometime between January 1 and your next password change, the bad guys hack in and steal your password. But…they just hold onto it. They don’t log in, steal your data, change your password, or do any other mischief. They wait.

3. On April 1, you change your password to foolme.

4. Any time after April 1, the bad guys finally get around to trying your password, at which time they discover it doesn’t work. Ha! Foiled!

Do you see the problem here? The success of periodic password changes hinges on two equally improbable occurrences:

• Whoever stole your password waits (probably a significant amount of time) before attempting to use it.

• You experience extraordinarily lucky timing, changing your password after the (unknown to you) password theft but before the thief uses it.

In reality, an attacker who obtains your password will probably try to use it as soon as possible. Waiting increases the risk that someone will discover the intrusion and alert you to change your password, and the one the attacker already has will be useless. (Furthermore, if all your passwords are unique, as they should be—see Update Weak Passwords—any damage resulting from fraudulent use of your password would be limited to just this one site.)

But even if the attacker holds onto your password for a while, the fact that the theft is unknown to you means any interval you choose for password changes—yearly, daily, or even hourly—is nothing but a wild guess. By changing your password at any arbitrary interval, you are in fact gambling that someone has stolen, but not yet used, your password at that moment—but will in the future. I wouldn’t take that bet. The odds against it are unfathomably large!

Of course, if your bank, your employer, or another website requires you to change your password periodically, you have no choice. A password manager (refer back to Update Weak Passwords) can make the process painless.

In addition, you should always change your password immediately if you become aware of a known or suspected security breach. You don’t have to change all your passwords, only the one(s) related to breach.

To learn much more about password security, read my book Take Control of Your Passwords.

Delete Your Cookies

Cookies aren’t just a delicious snack food. They’re also little bits of text that most websites store on your computer as you browse the web. Browser cookies serve many useful purposes, like enabling sites to remember your preferences and the contents of online shopping carts. They can also serve potentially sinister purposes, such as letting advertisers track where you go on the web and what you look at, building up a dossier of your personal details and preferences.

As a result of the numerous ways cookies have been misused, especially those that blatantly violate everyday expectations of personal privacy, lots of people habitually open their browser settings and delete all their cookies—or use a third-party app to do so for them. I recommend against this practice for three reasons:

• Deleting cookies after they’ve already been stored on your Mac is, to some extent, closing the barn door after the horses have bolted. Tracking cookies present on your Mac for even a short time can reveal a lot about you to advertisers and other parties.

• As a corollary to the previous point, prevention is a far more effective strategy, and there are numerous ways to achieve this.

• Most cookies are in fact useful, and deleting them en masse may inconvenience you more than it helps.

Instead of deleting cookies periodically as a maintenance task, I suggest taking steps to avoid the cookies you don’t want in the first place. For example:

• If your browser offers the option, set its preferences to accept cookies set by the site you’re currently visiting (or, perhaps, any site you visit regularly) but to block third-party cookies, which are commonly used for tracking purposes. For example, in Google Chrome, choose Chrome > Preferences, click Advanced at the bottom of the page, click Content Settings, click Cookies, and turn the “Block third-party cookies” switch on. (Safari used to have a comparable setting, but in Safari 11 and later you can only allow or disallow cookies globally. However, behind the scenes, Safari automatically employs anti-tracking measures, as long as you have “Prevent cross-site tracking” selected, as it is by default, in Safari > Preferences > Privacy.)

• Install a browser extension that blocks ads—and, along with them, the cookies used for tracking (but not other kinds of cookies). For Safari 12 or later, your best bet is to use a highly rated extension downloaded from the App Store’s Safari Extensions category, such as Unicorn Blocker:Adblock, Ad And Stuff Blocker, Better Blocker, or Ghostery Lite. For other browsers or older versions of Safari, you might consider extensions such as uBlock Origin, AdBlock, Adblock Plus (no relation), or Ghostery.

• When you plan to visit a site that you prefer not keeping a record of, use your browser’s Private Browsing mode to temporarily turn off cookies (and other data, such as browsing and download history). For example, in Safari, choose File > New Private Window.

For vastly more detail on cookies (including such troubling variants as evercookies or zombie cookies, Flash cookies, and Silverlight cookies), not to mention a long list of other considerations in protecting your privacy while browsing the web, read my book Take Control of Your Online Privacy.