Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a 'password safe' for online passwords Internet
Like many readers, I have three or four online accounts I want to protect. One way is to use good passwords, but how can I remember them or store them securely on my Mac?

I create an encrypted disk image with Disk Utility, and put the disk image into my Documents folder. I set it up as 128 bit AES encrypted, password protetected, and don't add to Keychain. I named the disk image Secret.dmg. Next, I created a blank text document, and copied it to the disk image. Now I just use a password generator (in my case, the freeware PassGenX) and create passwords for my online accounts, and enter them in the text file on the image. Finally, I drag the text file onto the Dock, then unmount the image. (The Dock icon is just an alias to the real doc, obviously.)

Any time I want to look up a password, I click on the file's icon in the Dock, enter the encrypted image password, and open the text file.

A poor man's password safe.
    •    
  • Currently 2.67 / 5
  You rated: 5 / 5 (6 votes cast)
 
[22,828 views]  

Create a 'password safe' for online passwords | 30 comments | Create New Account
Click here to return to the 'Create a 'password safe' for online passwords' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a 'password safe' for online passwords
Authored by: dcipjr on Dec 05, '05 07:49:31AM

You could also use the oft-overlooked Keychain Access program. In Keychain Access, you can create "Secure Notes", which are encrypted text files. Make one for your passwords and you're good.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: network23 on Dec 05, '05 08:44:21AM

This is a very good idea that I have been doing for quite a while. In my case, I sometimes need access to bank account information or online passwords while at work. I have a firewire drive I carry between home and work and keep a secure disk image on that portable drive. If it ever gets lost or stolen, I am relatively certain whoever may come across the encrypted file won't bother to take the time to try to crack it.

---
Live and Direct, only from
Network 23



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: klktrk on Feb 01, '06 11:41:35AM

Especially since you named the disk image "Secret." They'll never look there :-)



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: themacnut on Dec 05, '05 07:49:59AM

Um, but why not just use the Keychain? It's about as secure as your encrypted disk image, and keeping multiple passwords securely was pretty much what it was made for.

The Keychain IS a "password safe"



---
The MacNut
Owner, ClarisWorks/AppleWorks Email List
http://awlist.macnuthome.com



[ Reply to This | # ]
less convenient
Authored by: macubergeek on Dec 05, '05 10:04:36AM

Yes you could use the keychain access utility. It would also work. It's just less convenient than just clicking on a document icon in the dock thats all.



[ Reply to This | # ]
less convenient
Authored by: romulis on Dec 12, '05 05:19:19AM

So you drag Keychain Access into your dock and...

Apple really should have done that for new users, but I guess they have to leave us SOMETHING to complain about :-)



[ Reply to This | # ]
What Could Be More Convenient?
Authored by: inetws on Dec 05, '05 01:09:58PM
I would have to agree with TheMacnut and many other posters here. The keychain was designed for this and is about the easiest thing on the planet to use. One time only you need to type in your username and password at the protected site and then click on the default blue button in the dialogue that appears to save the password.
<shameless plug>
Free Macinstosh Technical Support - http://www.inetws.net/support/taxonomy/term/7
</shameless plug>


[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: stephendv on Dec 05, '05 07:57:54AM
You can also use the built in Keychain Access utility and Password Assistant to store arbitrary secret data such as bank, credit card or confidential personal information by creating a Secure note item.

These can be added to existing keychains from the File -> New Secure Note Item. It is recommended that secure notes be added to a separate keychain that does not share the same password as the login keychain. This ensures, that should the confidentiality of the login password be compromised, the secure note will remain secure.

To create a new keychain and add a secure note, choose File -> New Keychain, once a name and password have been chosen, select the keychain and choose File -> New Secure Note Item
From the Keychain Access application's preferences there is an option to Show status in menu bar, this allows common keychain function to be easily accessible from the menu bar. It also allows quick access to the screen lock function.
<shameless-plug>
This is an extract from the whitepaper Securing Mac OS X 10.4 Tiger
</shameless-plug>


[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: rhowell on Dec 05, '05 08:43:50AM

Use the keychain, as others have suggested. The best feature: you can sync your keychain between multiple computers.

An odd bug: When you create a New Password Item, you can enter a URL for the name, which is handy. Why Safari insists on clobbering these when you choose Safari->Reset Safari..., I'll never know. What if I use Firefox? Safari doesn't even use these Password Items, it uses only the Autofill item. Ughh...



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: adrianm on Dec 05, '05 08:46:48AM

Er, why not just use the KeyChain?



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: luhmann on Dec 05, '05 09:09:13AM
This approach seems like a better way to go.

[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: pub3abn on Dec 05, '05 09:10:16AM

Personally I find the encrypted disk image method better. I routinely sync my password lists between home and work, and do not necessarily want to sync the whole keychain. I just drag the disk image to a USB drive, and copy it off onto the other computer. Also I have several different text files in a single disk image, which I use to keep track of various kind of notes. For me it is a much more organized and practical system.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: siMac on Dec 05, '05 09:20:10AM

You can have more than one keychain. For instance, in addition to the 'session' (default) keychain I have a keychain called USB on my (you guessed it) USB thumb drive. I can unlock this keychain with a simple double click on any mac I connect it to and have secure access to my passwords. On my computers I have the USB keychain assigned as default so it effectively works as a 'key' to my computer.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: el bid on Dec 06, '05 12:27:08AM

Agree. The Keychain stuff is an added level of complexity: I don't fully understand how it is supposed to work, or how it actually works. And I don't trust stuff I don't understand.

OTOH, creating an AES encrypted mountable image is simple to do, simple to understand, and therefore much more trustable. I would certainly prefer the encrypted images to be more portable between operating systems, but this is even more of a shortcoming in the case of Keychain.



---
el bid



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: adrianm on Dec 06, '05 05:31:31AM

How is the Keychain complex? You just use it. It has a nice gui. It just works.

It's probably the best example of easy-to-use power OSX has to offer.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: innate on Dec 05, '05 10:45:20AM

Thanks for this tip! Although I am aware of the Keychain option, I find an encrypted disk to be more versatile. I store things like SSL certificates (yes, they can be kept in the Keychain, but not in the IIS binary format), notes about web sites that have weird password requirements, PGP keys, SSH keys, PDFs of my tax returns, etc.

I hadn't thought about putting it in the Dock — that makes it even more useful.



[ Reply to This | # ]
The encrypted email approach
Authored by: ekc on Dec 05, '05 11:17:09AM

After setting up encryption in Mail (there are other hints on how to do this), I have taken to sending myself a secure email every time I get a new password to remember. The best thing about this is that every machine I work on eventually gets a copy of the password without all the syncing hassles.

I also created a second keychain which stays locked most of the time and tossed my private key into it. That way, someone who borrows my computer will not be able to read those messages without the keychain password.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: letartes on Dec 05, '05 12:11:52PM

I was using the secure notes from the keychain until one day, the note disappeared and lost all my passwords. I don't know how it happened, but I was pretty mad. After that incident, I implemented something similar to what you described and it worked fine for me. I have been using that for a year now. To be safer, i would name the disk image something other than "secret.dmg". It attracts too much attention. UserManual.dmg for example.



[ Reply to This | # ]
Password Gorilla
Authored by: xsundeep on Dec 05, '05 12:19:27PM

How about Password Gorilla? We use it quite successfully where I work, and it totally platform-non-specific, so I use the same database on my solaris station as well as my mac and PC running XP via USB key... and it's free. Allows for passphrases, but also allows you to generate passwords and *paste* them into password fields...

http://www.fpx.de/fp/Software/Gorilla/

(I have no connection with the software or its makers)

Also: (1) A caution... remember to not place stronger passwords in a password store with a weak passphrase... defeats the purpose, right?
(2) Another... make sure that you have a good copy backed up every so often...



[ Reply to This | # ]
Password Gorilla
Authored by: klktrk on Feb 01, '06 11:47:20AM

Yes, it's free, but... TCL/TK bindings? Ugh. Can't stand looking at those widgets. Since we're evidently suggesting software, I will have to mention Selznick software's Password Wallet. Yes, you pay for it, but the interface is nicer than this gorilla, and you can sync it with a client program for your Palm, so you can carry your passwords (blowfish encrypted) with you whereever you and your Treo go. Spend less than $20 three years ago for it, and I've been super happy with it ever since. Well worth it.



[ Reply to This | # ]
Use OpenSSL
Authored by: dsouth on Dec 05, '05 01:46:34PM
A quicker method that also works cross-platform is to use OpenSSL (which macos includes).

To encypt a list of secrets with the 256-bit AES, open the terminal and do:

openssl enc -aes256 -salt -a -e -out secrets.aes
You'll then be prompted twice for a password, after which you can begin typing whatever you want. When you've typed enough, hit control-d twice and the data will be encrypted and placed in a filed named "secrets.aes".

To decrypt the file created above, do:

openssl enc -aes256 -a -d -in secrets.aes 
Enter the password when asked and openssl will decrypt the file and print it in the terminal. Because openssl works the same under macos, bsd, linux, and (cygwin) Windows, files created like this can be used on any platform.

A slight variation can be used to encrypt/decrypt files (rather than typed input):

openssl enc -aes256 -salt -a -e -in myfile -out myfile.aes
openssl enc -aes256 -salt -a -d -in myfile.aes -out myfile

There are also other cyphers available, type "openssl enc help" for a list. -- Dale

[ Reply to This | # ]

Create a 'password safe' for online passwords
Authored by: alblue on Dec 05, '05 03:01:20PM

Like pretty much everyone else here, I recommend using the Keychain app to manage passwords.

What perhaps often goes unnoticed in Keychain is that you don't just have to have one Keychain. There's one by default (called login.keychain) and/or your username (e.g. Administrator.keychain). If that keychain is there when you log in, and the same password is used to secure it as your login password, then it's unlocked automatically.

However, you can have multiple keychains; if necessary, each with their own password. My banking keychain is different from my login one so that even if someone sits down at my machine and posts as me to macosxhints.com, they can't get at my banking details.

Also, keychains can be set to lock after inactivity (although whether that's inactivity in using the keychain or inactivity of using the computer isn't clear) and when the computer goes to sleep. Great if you want to have some uber-secure keychains whilst not having it bug you for your GMail password every time you wake from sleep.

Lastly, if you want to sync different machines but have a separate stash for each, why not have two keychains? One can be a 'master' for your laptop (say, laptop.keychain) and the other can be a 'master' for your desktop (say, desktop.keychain). Then just set up an Automater job to copy one to the other...



[ Reply to This | # ]
The importance of segregation
Authored by: macubergeek on Feb 01, '06 03:00:45AM

Here's the thing. If you use your personal mac on the job, you probably don't want to mix your employer's usernames and passwords to things like routers in with your other stuff.

One idea I've had is to create a logon.command file which is a double clickable expect script which would log me onto remote hosts. like so:

#!/usr/bin/expect --
spawn ssh username@remote_host.com
expect "password"
send "my_password\r"
interact

This will store my password on an encrypted disk, which isn't mixed in with my other personal passwords...I can move the *.img file around on a thumb drive, and it will log me in and give me a shell to the remote host too.

The problem with the keychain is that if you lose control of your logon password you lose everything else stored in the keychain too.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: meh on Dec 05, '05 04:24:33PM

I do the same thing, but call the file something completely banal, like "Plant Care.dmg" or "Terry's Fig Bar recipe" or "Family Ties episode guide". I like the idea of someone going through the effort of hacking my firewall, my computer, and then getting into the guts, and then coming across a very boring looking file and moving right past it, choosing instead to grab "Swiss Bank Account info.txt" and "Incriminating photos of me, G. W. Bush, and Osama Bin L on fishing trip, Lake Tahoe, May 2001.rtf".



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: eross77@mac.com on Dec 05, '05 08:22:24PM
I agree that the keychain is the best to use for the Mac but for those of us who have to live in multiple environments I found that PasswordSafe that was originally written by Bruce Schneir of Applied Cryptography fame. He released it to the open source community and there is also a Java based version of it that runs just about anywhere Java is supported. The binary password safe database transports just fine between platforms.

[ Reply to This | # ]
favor the file method
Authored by: russellh on Dec 05, '05 09:11:45PM

I also use an encrypted disk image. I use keychain whenever it asks, but since 1996 or so, I've been keeping passwords and stuff in files. Back then it was one file, but since I started adding additional notes and storing other documents I use one file or folder per account. Total count so far: 196. ugh. Back in the day we were thinking the online identity problem would shortly be solved. But no.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: barrysharp on Dec 05, '05 10:01:05PM

I don't use any computer-based system for storing passwords. I keep mine in my head.

Here's what I have used.

Formulate a scheme that is based on the first letter of a web site after the www. That letter is then used to seed your password. This first letter is the starting character for your password and is also used to define a digit.

Lets say you have this well memorized character string called "CHAR_STRING".

So let's take www.apple.com as an example. The first letter is A and because this letter is made up of straight lines it defines the digit "1". If it had been a letter "B" then as it has curves in it it defines a digit "2". Every character in the alphabet is either made of just striaght lines or has curves in it - thus it's easy to figure if the first character defines "1" or "2".

Thus for www.apple.com we have a password of a+CHAR_STRING+1 (without the "+" signs of course).

This does mean that some online web sites requiring passwords will be the same. On the other hand the password used is really quite secure, is easy to construct on the fly and can easily be remembered.

I've returned to some web sites that I've not visited for up to two years and have been able to login using this simple pw generator algorithm for remembering my old pw.

Of course you can make the algorithm I give as an example more complex and consequently more secure if you wish. The goal however is to allow yourself to be able to quickly and easily generate the pw on the fly from your mind and not have to rely on any computer-base pw generator. Hopefully you always have your mind with you.

---
Regards... Barry Sharp



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: simplyodd on Dec 06, '05 01:38:14AM

Barry,
was very impressed by your simple yet clever and reliable mental algorithm. Have you or anyone else, any suggestions equally as ingenious for these freekin sites where they force you to keep changing your password. My company is notorious for this on their pc's, and since my colleagues can't possibly remember an ever changing password, I've seen their passwords written on post-its stuck right on their monitor. So much for security. thanks, tom



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: missinglina on Dec 06, '05 10:04:14AM

barry, you are aptly named, for this is a "barry sharp" idea. one i think i'll use.



[ Reply to This | # ]
Create a 'password safe' for online passwords
Authored by: grikdog on Dec 06, '05 09:29:05AM

The necessary but not sufficent feature of this system is that browsers allow you to Cut & Paste from the image's text file to the browser's form. Some applications which provide password-protected services will NOT accept pasted passwords. This includes PGP Disk's (and Apple's own) authorization dialogs, although obviously there's a way to get around Apple's restriction via XCode or Keychain Access would not work.



[ Reply to This | # ]