Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Password security exposure with the Keychain System
The following was submitted by an anonymous tipster:
I opened the Keychain Access utility in Mac OSX a while ago and noticed that it has a potential security flaw. In order to reveal the password for a particular entry, all a user has to do is open the Keychain Access utility, click 'Get Info" on an entry, and click on the "View Password" button, and the password is shown in clear text.

Since Mac OS X unlocks the keychain at login, anyone can find out a user's password in the span of a few minutes without having to authenticate themselves. In a shared environment, this flaw alone renders the Mac OS Keychain useless as a secure store for passwords that you might not want others to have access too.

A simple fix would be a password dialog that asks for the user's keychain password before the keychain is shown or before the password is revealed.
This problem strikes me as a Bad Thing. I realize that all bets are off with physical access to the machine, but in something like a lab environment, such access is bound to occur. A simple dialog box would at least stop the quick-look password thieves.

For now, the only solution I found was to manually lock your Keychain each time you login. Launch Keychain Access and select File -> Lock "user_name" (or just hit command-L). Once locked, you'll need a password to unlock and view the stored keys, which solves the security problem in a lab -- but you need to do this at each login.

Are there practical reasons why the Keychain is not left locked at login? I tried receiving mail and browsing the web with the locked Keychain, and had no problems.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[8,200 views]  

Password security exposure with the Keychain | 30 comments | Create New Account
Click here to return to the 'Password security exposure with the Keychain' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use screensaver to lock your Mac
Authored by: sjonke on Apr 15, '02 10:17:57AM

The keychain would be less useful if it didn't unlock at login IMHO. I use the screensaver to lock my Mac when I'm away - turn on the require password option in the screensaver and set a corner to activate the screensaver. Now when you are going to leave your mac just move the mouse into that corner and viola.



[ Reply to This | # ]
Use screensaver to lock your Mac
Authored by: mnewman on Apr 15, '02 06:17:33PM

I have tried this several times on my Spring 2001 iBook. Problem is, it takes forever to get the machine back once the screensaver is activated. Sometimes several minutes before the password dialog box appears and this just using the "basic" screensaver.

On my OS/9 machine waking up from Sleeper's screensaver is almost instantaneous as is waking up from the screensaver on the NT machines at work.

Any ideas how to speed up recovery from the OS/X screensaver?



[ Reply to This | # ]
Use screensaver to lock your Mac
Authored by: acct_removed on Apr 15, '02 06:39:34PM
That's not normal. Recovery from screensaver is immediate on my iBook (Late 2001, 600 MHz, DVD/CD-RW, 384 MB). -- Joris Artels II - Artels.org

[ Reply to This | # ]
Use screensaver to lock your Mac
Authored by: baba on Apr 15, '02 07:41:39PM

I have a vague memory of problems with awakenings from sleep with my iBook, but I haven't seen
it since I patched my system to 10.1 .



[ Reply to This | # ]
Use screensaver to lock your Mac
Authored by: leenoble_uk on Apr 16, '02 03:35:53AM

It might be your network. You said you have problems on one machine, not another. The other difference may be that one is networked, the other isn't. I have noticed that sometimes it can take 2 minutes for OSX to give up looking for a lost network drive. This comes across as a total system lock up while it searches.
Do you have any appletalk drives mounted? If so see what happens to your wake-up scenario if you eject the disk from your desktop first.



[ Reply to This | # ]
Use screensaver to lock your Mac
Authored by: sjonke on Apr 16, '02 09:52:03AM

I had this same problem on my 366Mhz ibook (clamshell). Is Spring 2001 a new-style or older style iBook? I have not seen this to such an extent on my new PowerBook. I would say never, but there was one time when I did seem to get a delay, but only for 7 or 8 seconds. It hasn't happened since. The problem with my ibook seemed to improve a lot with newer versions of OS X, but as I recall I would still see a delay some times. I'm presuming it's a bug in OS X. Update to the latest version of OS X if you haven't done so already and that might help.

Of course the PowerBook has its own problem: lousy airport range, but that's another story....



[ Reply to This | # ]
Use screensaver to lock your Mac
Authored by: baba on Apr 15, '02 07:47:11PM

If someone has physical access to your machine, there are far more serious exploits than keychain acess -- specifically, root access. Implement your screensaver lock and worry your head no more unless your are prepared to physically secure your machine.



[ Reply to This | # ]
Set Keychain Access to lock automatically
Authored by: Elander on Apr 15, '02 10:23:56AM

You can set the Keychain to lock automatically after x minutes of inactivity and / or system sleep.

Launch Keychain Access and choose "Edit -> Settings for user..." and check the boxes at the bottom of the dialogue.

Although this is not a complete solution, at least it is automatic and easy...



[ Reply to This | # ]
Apps need unlocked keychain
Authored by: Telluride on Apr 15, '02 10:28:29AM
I agree with you that Apple has definately overlooked a serious security issue here and should come up with a better model for protecting the keychain. Apparently the keychain has to be unlocked for applications to use it though. If I lock my keychain and then try to run an application which stores the password in the keychain (i.e. Entourage, Adium, iTools, etc) then when I run the application, it asks me for my keychain password so that it can get the stored password. Going back into the Keychain utility reveals that it is no longer locked. I am guessing that Apple's thinking is that if any application can access the stored passwords in the keychain, then any human can as well because the human could just write an application to access it. Therefore they just let the human access it directly. I call out to Apple to SERIOUSLY reconsider their security model here!!! Who uses their computer in a completly closed environment where random people are never walking by? Not me! I constantly think about what could happen if i left my computer sitting by itself for 5 minutes. For me, the best solution at this time is to not leave any important passwords in the Keychain. Furthermore, it is good security practice to have a password protected screen saver running. As far as fixing this problem though, it should not be that hard. Perhaps the keychain could be locked for everything except for an "acceptable application list." Furthermore, you should at least have to enter the keychain password to view the other passwords in the keychain. Finally, all keychain access should be logged so that people can see what's been going on in their system. I plead with you Apple, PLEASE CHANGE THIS!!

[ Reply to This | # ]
Already locked
Authored by: WillyT on Apr 15, '02 10:31:56AM

My keychain is locked and mail.app asks for the password every time it is started. It does not unlock automatically at login. I do not have anything set to automatically send a password except Internet Connect. Multi-user system. Password required for each login.
Don't know if this works differently with one user and automatic login.



[ Reply to This | # ]
Already locked
Authored by: Telluride on Apr 15, '02 10:41:52AM

But, once you have entered the password once (for mail), does the keychain remain unlocked (i.e. can you start up the keychain utility and see your passwords)?



[ Reply to This | # ]
Already locked
Authored by: WillyT on Apr 15, '02 08:58:08PM

Yes but only after I give the keychain password to mail. Then it locks back up after a few minutes. I hadn't seen this (that it was actually unlocked for a few minutes) before my post. Luckily I've set my mail keychain name to something different than my user name. And passwords are different than login passwords. I'm semi (or very depending) paranoid so I use different passwords for different things.

Still this is NOT acceptible to ever display a password in plain text, but I realize that these must be available in plain text in order to even use them. So thay can't be hashed like the user passwords (those can't easily (possibly just can't) be decoded back to plain text) For people copying the password field in NetInfo that should be only the hash so a duplicate hash is a duplicate password.
Willy



[ Reply to This | # ]
Set your keychain password!
Authored by: sabi on Apr 15, '02 11:41:42AM

If you set your keychain password to something different from your login password, then it won't unlock when you log in. Mac OS X just tries your login password in the keychain as well as a convenience, but if it fails, no big deal (and it sounds like it's actually preferable in this lab situation).

Mac OS 9's Keychain Access was a lot more paranoid, it'd ask you for your password when you attempted to view a password. I assume people complained that this was too cumbersome so they changed it.



[ Reply to This | # ]
locked keychain
Authored by: uurf on Apr 15, '02 12:09:22PM

The above dexribed "security flaw" scenario only occurs if the user has explicity selected "always allow" in response to the Keychain Access dialog. (when I select an item in an unlocked keychain listing, then select show inf, then select view password, I receive the "Confirm Access to Keychain" dialog with the options "Deny", "Allow Once", and "Always Allow").

The account preferences on each user's keychain also allow me to specify whether the keychain locks during a specified amount of inactivity, and whether or not to lock if the system sleeps.



[ Reply to This | # ]
locked keychain
Authored by: ashill on Apr 15, '02 01:05:04PM

Choosing 'Deny' does not permanently deny access to that password; it simply denies access that one time. If you click deny once, then try to view the password again, you will be presented with the same dialog; click allow, and you're in.

-Alex Hill



[ Reply to This | # ]
easy fix
Authored by: enderai on Apr 15, '02 01:10:57PM

a simple fix would be to go into the edit menu/set <keychain> settings...
and set time until lock (or whatever) to zero. the keychain will lock immediately after being requested for a password. note: to now /view/ the keychain, you have to go back and set this number to something other than zero (don't worry you can, as you can access these preferences when a keychain is locked, and yes, you have to type in your pword)



[ Reply to This | # ]
DON'T PANIC
Authored by: dr_turgeon on Apr 15, '02 01:46:28PM
There is no problem...
I also like a less paranoid Keychain (although it's only good for about 3 apps)
Use screensaver to lock your Mac -- sjonke
Set Keychain Access to lock automatically --Elander
Set your keychain password! -- sabi...

How did this become a topic?

[ Reply to This | # ]
easy fix...not so easy
Authored by: Telluride on Apr 15, '02 01:50:23PM

The problem comes when you have applications like Entourage that need keychain access every 15 minutes or so (auto mail download). If the keychain is locked, then it will not be able to get the password to retrieve mail, etc. This is an inherent problem in any type of program which may need to have periodical keychain access without user intervention but still be able to keep the password securely locked up.

As an aside, another needed security feature is the ability to lock applications and aliases down so that you have to enter a password to start them. For example, i leave my mail app running all the time in the dock....i really wish that i could lock it down with a password so that if i step away from my computer for a bit, noone can go snooping around my email. Furthermore, there are certain applications like firewall administration, etc which would be nice to lock down.



[ Reply to This | # ]
easy fix...not so easy
Authored by: gaffa on Apr 15, '02 06:27:08PM

Try System Prefs > Screen Saver > Activation > Use my user account password.
Set your Hot Corner(s), and check it works, as I've seen problems with some third-party screen savers.

Cheers

Gaffa.



[ Reply to This | # ]
Keychain Problems
Authored by: jonahlee on Apr 15, '02 06:04:25PM

I have always hated Keychain, prefering that the passwords remain in their programs, so I don't have to unlock it every time. I have an applescript that opens my Keychain in OS 9. In OS X I never activated it, but it seemed to be on after one of the various OS X updates. I put in nothing as a password so that I could just hit return. I didn't know that if you put in your login password it would automatically unlock the keychain. I just tried changing my password to my login password, but to no avail. My Keychain is always locked at Startup! Is there any way to make it so it always unlocked at startup so I don't have to worry about it or have to dismiss it each time?



[ Reply to This | # ]
What a fuss!
Authored by: ihafro on Apr 15, '02 07:11:31PM

I really don't see the big deal. I understand how this can be a major flaw, but I don't see why the keychain is such a big deal. In a lab environment, you should completely LOG OUT if you are going to be away from the machine for any period of time. And as mentioned earlier, just use the screen saver set at about 2 min to protect from idle snoops. Why is people seeing your keychain such a big deal, when they can do more damage with the terminal and actual access to your machine. You don't need a keychain to "rm -rd ~/" Besides, that takes less time than even getting to the Utilites folder.

Robyn
-------------
Flame me if you want.....It's a fire resistant trash can.



[ Reply to This | # ]
What a fuss!
Authored by: WillyT on Apr 15, '02 09:12:12PM

Yes they can reboot to single-user mode and wipe out everything also.

But keychain access would allow them to get your email, purchase stuff online and probably steal your identity. Or change your passwords for apps and make them unuseable. So best to keep it locked as much as possible.



[ Reply to This | # ]
This seems to be NOT a security flaw!
Authored by: wealthychef on Apr 16, '02 01:06:30AM

If I'm understanding your complaint correctly, it is that you can access all the passwords in YOUR Keychain "without authenticating," "after logging in." I assume you are talking about all YOUR passwords (I don't use the Keychain, so I may be missing something). Last time I checked, however, logging in authenticates you! If you need to leave the computer, log out! Then nobody can access your keychain, right? I really don't see the problem here. Did I miss something?



[ Reply to This | # ]
No, you did not miss anything...
Authored by: themostbob on Apr 16, '02 11:26:04AM

This isn't a security issue if you're used to multiuser environments. If the system needs to have access to cleartext passwords for keychain use, there's no reason why you couldn't view them in Keychain Access. They have to be stored in a reversable form anyway, so nothing could keep them fully secure. The point is, they don't have to be secure from the user, only others.

Now, that said, I'll bring up this point - what's stopping someone from making a keychain accessing app that culls your keychain for passwords? If this is a simple thing to make then I'm the first to jump up and yell at Apple to implement PAM or hash the passwords in some way (though I don't know how they would be useful given the way keychain works). Any keychain hackers out there want to pipe up?



[ Reply to This | # ]
No, you did not miss anything...
Authored by: etrepum on Apr 16, '02 07:27:54PM

I think you're confused. The whole point of the keychain is that you can recover the plaintext passwords from the crypt passwords with the proper challenge phrase (which is not the same as the plaintext password itself). A hashing algorithm is one way, and is only useful for seeing if the hashed password is equal to the plaintext password, it will in not work in a scenario when you have a challenge phrase that differs from the password you are trying to decrypt. What good is a keychain if you have to know all the passwords anyways?

In any case, PAM is a different, yet also irrelevant, story. PAM is a system for Pluggable Authentication Modules, and is largely independent of any paritcular cryptography or credentials scheme. Basically, you write a PAM module and configuration for that module, and an application can say to the PAM daemon, "Hey, this guy has these credentials and I want to let him do X, can he?" and the daemon will respond with yes or no. PAM encompasses quite a bit more than this, but that's the general idea. This requires all the applications on the system to know about the PAM daemon, and also to trust the PAM daemon. Again, the whole point of the keychain is that you can recover the plaintext passwords from the keychain so that you may use them for communication with either local or most importantly remote systems. Remote systems are not going to trust your local PAM daemon by any means, so.. you lose. PAM would only be used at the user level with the keychain, where the keychain could ask the PAM daemon if these user is allowed to decrypt a particular key with these credentials and authentication. It's not going to change anything regarding what the keychain thingee does with said keys. This is the reason Apple hasn't implemented PAM with Darwin, is that they haven't found a compelling reason to spend the development effort doing so when they have so much else to fix.. PAM doesn't change much, it just lets your authentication systems be more dynamic, i.e. having /etc/password being encrypted in md5 or sha or blowfish or whatever the hell else the user feels like. I'd imagine there are PAM modules for more esoteric things like the s/key systems. PAM is also useful for more distributed applications where the particular PAM module can contact a remote host for the answer, as in talking to a Windows Domain Controller [cringe], IMAP Server, Kerberos thing, or whatever you want.



[ Reply to This | # ]
Autolocking and two keychains
Authored by: betabug on Apr 16, '02 04:13:43PM

As others have pointed out, what you need is to set the keychain to
autolock after a certain amount of time.

Next: Only use the keychain that the system generates for your username
for insecure stuff. (Your POP password probably goes over the wire in
cleartext anyway, so you might as well store it in the keychain and have it delivered
to the mail program.)

Create a second keychain for stuff that you want to keep locked away. Then
only unlock that keychain when you need something and lock imediately afterwards.
That way your more important stuff will never lay around unlocked. Of course you give
that other keychain a different password from your login password.

Also keep in mind, that no really important password should be left written down -
in the keychain or any other file on a computer. The keychain is very good for
low sensitive passwords.

The good part about the keychain is that you can look up a password that you
have to give to a coworker. And you can do that while she is watching over your
shoulder, without exposing any of the other passwords in there.



[ Reply to This | # ]
No, you did not miss anything...
Authored by: themostbob on Apr 19, '02 05:50:01PM

I know what a hash is - like I said, not useful. As you describe PAM, no not useful for off-system access. But my question stands:

What is access to the crypt'ed passwords like? Can a random app cull them? The fact that they are NOT hashes seems, at the basest level, to indicate it is possible. I've shied away from Keychain in that past because of vague notions along this line, but I want some real data now...



[ Reply to This | # ]
SIMPLE FIX
Authored by: snyperm on Apr 25, '02 12:16:58AM

yeah this functionality really pissed me off originally. Apparnelty I can't have the keychain locked and allow apps that i allow to access it access it. Hence hte only option seemed to be having the keychain unlock after a minute. Setting it to zero would require me ot enter the pasword several times in entourage after it checked one mail account and moved on ot the next...the ykeychain had locked os quickly it needed my password again.

SIMPLE SOLUTION
possibly not the most correct way to do this but it works. ush batchmod or if you know unix and simply set the permission so that only root can execute,write, or read tghe keychain.app!. of course before you od this unlokc you keychain and set it to be unlocked. Granted this is kind of a backwards way to do it..but it seems ot wokr fine so far.



[ Reply to This | # ]
Password security exposure with the Keychain
Authored by: tty33 on Oct 12, '03 09:45:42AM

What opering system are you using, MAC OS X 10.2.8 has everything locked up, I can't even get to the show info?



[ Reply to This | # ]
Password security exposure with the Keychain
Authored by: KooLLaiD on May 04, '07 12:27:39PM

For me the single most annoying thing about OS X is having to Re-authenticate to install a new Application, move items from certain folders, etc.. There needs to be an option that if you are logged in as an Admin you do not have to authenticate for every friggin thing you do. Not even windows makes admins do this. It drives me nutts. Like someone mentioned. You want more security make your screen saver require a password when waking and use a hot corner.



[ Reply to This | # ]