Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use Launchbar to access securely stored passwords Apps

After searching MacUpdate for password/serial storage apps and trying various free apps, I realised that none of them work the way I want. But then I recalled that LaunchBar can index plain text files. By storing the plain text files on an encrypted disk image they're kept safe (when you're not logged in).

  1. Save your passwords, serials or whatever in individual text files. I have files with names like "Amazon", "eBay" and "Mastercard". Each file contains the relevant info for that account or card.
  2. Create a new encrypted disk image in Disk Utility. I set the size to 2.5MB, selected AES-128 for encryption (why is that the only option?) and left the format as regular read/write. When prompted to set a password for the disk image make sure you opt to save the password in your keychain.
  3. Now add the .dmg file to your startup items (in your "Accounts" preferences). Because you added the disk image password to your keychain, it will mount automatically when you log in.
  4. Make sure the disk image is mounted before proceeding. In the LaunchBar configuration window, add a new custom type in the "Setup" pane. Set the location as the mounted disk image, and set the "Scan Type" to "Text Files" (the second from bottom option on my setup).
  5. Once this new location is indexed by LaunchBar, you can hit Cmd-Space, type the password you're looking for and hit enter.

Can anyone who's better informed on such things comment on how secure this is? Obviously the files are accessible when you're logged in, but how secure are they at other times? "AES-128" suggests 128 bit encryption, which seems a little weak to me, but I accept that I'm no expert.

    •    
  • Currently 2.25 / 5
  You rated: 1 / 5 (4 votes cast)
 
[9,188 views]  

Use Launchbar to access securely stored passwords | 18 comments | Create New Account
Click here to return to the 'Use Launchbar to access securely stored passwords' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use Launchbar to access securely stored passwords
Authored by: notmatt on Jan 28, '04 11:38:33AM
AES-128 is the new strong encryption standard for the US Government, and was selected on an open competition. It's widely regarded as secure. In fact, it's likely much more secure than any number of other things on your laptop already. AES Homepage. Comments in Cryptogram by Bruce Perens.

[ Reply to This | # ]
Use Launchbar to access securely stored passwords
Authored by: henry on Jan 28, '04 01:48:41PM

Having dusted off my InfoSec brain cells on the AES spec (FIPS-197, cheers for the pointer) I am suitably reassured of it's strength. I'm still left wondering why Apple doesn't offer us the option of AES-192 and AES-256 as well as the 128 bit variant.



[ Reply to This | # ]
Use KeyChain Access to securely store passwords, etc
Authored by: asteryx on Jan 28, '04 12:16:14PM

Keychain Access is built in to every copy of OS X. Open it from the Utilities folder. Store free-form information in a Note and passwords in Passwords. If you want to categorize information, such as credit card info or SSNs, etc. I suggest creating separate keychains.



[ Reply to This | # ]
Use KeyChain Access to securely store passwords, etc
Authored by: henry on Jan 28, '04 02:19:36PM

Keychain Access was my first port-of-call whilst searching for a password solution. I like that it's built-in, and you can allow apps access to keychain items. But I don't like the fact that there's no search facility (not that I could find anyway) and I don't like having to tick a little box, then enter my system password before I can see the information I want.

The lack of a good search facility is what led me to LaunchBar in the first place. I want to be able to just type the name of the password I want and then have it displayed for me, and I want to be able to do that in any application without launching another.

If Apple adds a good search facility to Keychain Access I'll likely switch to that instead, but LaunchBar is a hard act to follow in my opinion.

As an aside: I initially thought it was ironic that I used LaunchBar to launch Keychain Access back at the start of all this, but after consulting the dictionary I'm not so sure.



[ Reply to This | # ]
Use KeyChain Access to securely store passwords, etc
Authored by: lavar78 on Jan 29, '04 04:30:12PM
As an aside: I initially thought it was ironic that I used LaunchBar to launch Keychain Access back at the start of all this, but after consulting the dictionary I'm not so sure.
Ironic: "characterized by often poignant difference or incongruity between what is expected and what actually is"

It is ironic. You sought out a program that you thought would be your solution by using the one that turned out to be your solution. You're no Alanis. On topic, I second the suggestion of SplashID.

[ Reply to This | # ]

Use Launchbar to access securely stored passwords
Authored by: aranor on Jan 28, '04 12:44:20PM

I personally prefer MacJournal with a locked journal for my passwords.



[ Reply to This | # ]
Not free, but SplashID is good too
Authored by: valx on Jan 28, '04 01:02:01PM
It's not free, but I use SplashID for storing sensitive information since it will sync with my Palm. It uses Blowfish encryption (good enough for my encryption needs).

[ Reply to This | # ]
LaunchBar isn't free either
Authored by: henry on Jan 28, '04 01:58:58PM
It's the same price as SplashID, in fact. I don't need to sync my passwords with any handhelds, so plain old text files do me fine. Although I guess you won't be interested, (having already purchased SplashID) others looking for PalmOS password software might like to check out Keyring for Palm OS. Before my Palm died, it took care of all my password needs very capably.

[ Reply to This | # ]
LaunchBar isn't free either
Authored by: valx on Jan 28, '04 04:26:15PM

Yes, I know...I couldn't live without my LaunchBar. :-)



[ Reply to This | # ]
Possible security hole?
Authored by: huzzam on Jan 28, '04 05:59:13PM

I don't have LaunchBar, but a possible security hole you might want to look into is this: when LB indexes the text file, where does it store the index? Is it written unencrypted to disk by any chance? That could be a vulnerability if there are other users you don't trust using the same machine.



[ Reply to This | # ]
Re: Possible security hole?
Authored by: henry on Jan 29, '04 10:00:37AM

I hadn't thought to check that, I must confess. Looking now I see that LaunchBar stores it's cache in this file:

~/Library/Application Support/LaunchBar/SetupCache.plist

Because LaunchBar is only indexing the names of the text files it doesn't present much of a threat. Unless you consider an attacker knowing which websites you frequent, and which cards you use, to be a threat. And if you're that concerned about security then you probably wouldn't use this system anyway.



[ Reply to This | # ]
Faster Method using LaunchBar
Authored by: valx on Jan 28, '04 06:46:37PM

I was just playing around with this idea in LaunchBar and found something that may be a little faster and more convenient.

Rather than creating individual text files for each password, just create one html file. For each password create a line like:

<a href="mypassword">Some Web Site</a>

Save the file as described above using the encrypted disk image, login item, etc.

Then in LaunchBar set this file up to be scanned for bookmarks. When you type the name in LaunchBar, it automatically displays the password in LaunchBar without having to actually open any other files. Also, just by typing command-c while the password is displayed in LaunchBar, you have copied it to the clipboard so you can paste it wherever you like.

This way you only have one file for all your passwords and you don't have to open and close text files just to see a password.



[ Reply to This | # ]
Re: Faster Method using LaunchBar
Authored by: henry on Jan 29, '04 09:43:21AM

I didn't think to try that -- it's a great idea, but I don't think it'd work for me, as I often need to store more than just a password. I like the flexibility that the text file approach affords me.



[ Reply to This | # ]
Faster Method using LaunchBar 2
Authored by: valx on Jan 28, '04 07:00:24PM

If you want to be extra sure on security for this method, you would probably want to:

1. Put your ~/Library/Application Support/LaunchBar/ folder on the encrypted disk image and leave an alias to it in your Application Support folder.

2. For the "Perform Setup Scan" on this item, choose "Each Startup".



[ Reply to This | # ]
Re: Faster Method using LaunchBar 2
Authored by: henry on Jan 29, '04 10:08:56AM

valx -- I think that if someone was to use your HTML file suggestion, they would definately need to move their LaunchBar cache file (probably the whole support folder to be safe) onto the disk image. There'd be little point encrypting the HTML file and leaving the LaunchBar cache in the clear.

It's worth noting that doing so would require them to ensure that the disk image mounts before LaunchBar launches.



[ Reply to This | # ]
Safety for portables: Password Wallet
Authored by: klktrk on Jan 29, '04 11:32:13AM

The problem with schemes like this is that they assume your data will only be compromised when you've logged out, or unmounted your encrypted disk, etc. The fact is that your data is most likely to be compromised when you least expect it. Your sleeping powerbook is stolen. Your Palm pilot is lost.

What you need is a storage mechanism that automatically re-encrypts itself and locks itself after an interval, say, 30 seconds. That way, a thief or opportunist has only a very slim chance of grabbing data. they would have to have your Palm pilot or laptop in their hands within thirty seconds of stealing it or finding it and without putting it to sleep.

With stuff as sensitive as bank logins, etc., it is worth every penny to invest in a tool that right for the job. I recommend Password Wallet, but there are others. Look for software that re-encrypts and locks its vault automatically after a brief amount of time. Also, it's cool if it can sync with Palm. Password Wallet has an application for Mac OS X, and for the Palm Pilot, and they sync beautifully.

Please, DON'T hack together an insecure solution. Identity theft is on the rise. $20 is money well spent towards helping secure your entire financial and personal life.

My 10 cents.

K



[ Reply to This | # ]
Safety for portables: Password Wallet
Authored by: valx on Jan 29, '04 02:46:27PM

SplashID contains all of these features as well.



[ Reply to This | # ]
Re: Safety for portables: Password Wallet
Authored by: henry on Jan 30, '04 10:03:23AM

Kristofer -- point taken. I did consider the issue of security whilst logged in, and I agree that this is not the ideal solution for everyone. Perhaps I should have included my thoughts on this in the original hint, but I didn't want it to be overly wordy.

I agree that this system does not offer any protection against someone stealing your machine whilst you're logged in, or remotely accessing your machine whilst you're logged in and the image is mounted.

I also agree that this system is, therefore, not a good solution for everyone. However, in my case, I take steps to secure my machine while online at home, and I'm behind a pretty good firewall while in my department. I also set my machine not to wake from sleep without a password, and I use a password protected screensaver on a short fuse. Either of these measures would cause a thief to reboot, thus unmounting the disk image.

I realise that this hardly constitutes a secure system, but when you consider that I use a strong password, which I change regularly, and that the nefarious types that engage in ID theft currently target windows machines (or at least expect to find a windows machine when they open the stolen bag), I consider it to be secure enough for me.

Of course, others will need to make that decision for themselves. For me, this system provides an acceptable level of security, especially when you consider the ease of use. Again, this is only my personal opinion, and I know you're not supposed to sacrifice security to gain usability, but, well, I'm prepared to in this case.



[ Reply to This | # ]