This is what MFI had to say on the subject:
"Mac OS X Screensaver Security: Crashing Screen Effects
Over the weekend, MacFixIt reader Charles Maurer submitted the following report, indicating yet another potentially serious security flaw in Mac OS X 10.2.6's Screensaver implementation:
"I don't know the exact amount of characters, only that if you leave a key pressed for 5 minutes or more and then hit the enter key, you crash the screensaver and gain access to the desktop. you can mess the desktop and all around it (network, mail, docs, anything you can imagine)."
Later, SecuriTeam.com posted a note stating that "It appears that MacOS X's screensaver can be crashed by providing it with between 1280 and 1380 characters (followed by pressing the Enter key)."
In January of this year, we noted an issue that allows applications to be freely quit or launched - while Mac OS X's Screen Effects is prompting for a password.
If you have Full Keyboard Access turned on (available under the Keyboard pane in System Preferences), the dock can be accessed "blind" from behind Screen Effects - you can't see the dock, but some functions using it are still accessible. On our in-house system, we have the Dock set to appear when the "Control-F3" keyboard combination is pressed.
When Screen Effects prompts for a password, pressing this keyboard combination will move the cursor out of the pop-up prompt dialog box, and onto the Dock (which is not visible). Pressing tab to switch applications, and then pressing "Q" will cause applications to quit. Likewise, pressing "Return" will cause applications to launch.
This issue significantly undermines the protection level offered by Screen Effects. If you choose to use this method of password security, make sure that Full Keyboard Access is turned off.
The bottom line is that if you want a secure Mac OS X system, do not allow any other individuals to gain physical access."
-----
Good point re physical access. Perhaps most already know, but for those who do not: presuming one has access to another's machine and you have an installation OS, and the target machine is not protected by the Open Firmware Password, all one need do is insert Disk 1 to change the password. Then, you can install the Open Firmware Password. And from then on, that machine is yours!
Harv
