Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Keychain | 18 comments | Create New Account
Click here to return to the 'Keychain' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Authored by: PatrickS on Jul 08, '10 07:53:58AM

This may be useful if you intent to use the same file across platforms and don't want to invest in a multi-platform password manager. May need some experiments regarding usable/standardized colours though.

For Mac-only use: Why not use the Keychain to store passwords and other sensitive stuff? It even has a "copy to clipboard" function for the password allowing to paste the password into a web form without ever displaying it on the screen.

[ Reply to This | # ]
Authored by: mkluskens on Jul 09, '10 07:23:10AM

Storing a password in Keychain Access and in a document on an encrypted disk image both result in roughly the same level of security, but highly dependent on which version of OS X and if you activated Windows File Sharing. I don't have experience with other password storing products nor have I read reviews by security professional regarding their strengths and weaknesses.

With Keychain Access you are telegraphing your intent to view a password, but you can make it go away with cmd-w as soon as you have seen it.

With the white-on-white encrypted document it's a bit less obvious that you are going to look at a password and depending on the font size and highlight color it might be impossible for another person to read unless they are as close as you are to your screen and/or have better eyesight then you and you only have to view part of it.

I'm not sure about documentation on breaking encrypted disk images, but anyone in that business probably has access to that information, but I doubt a 5th grader could do it.

Access to your passwords in Keychain Access is granted to anyone who can enter your password, which could be obtained by cracking the password hash or hashes stored on your boot disk (in /var). If you are foolish enough to enable Windows File Sharing under 10.5 or later then getting your password is trivial as the password hash stored to enable Windows Sharing is trivial by today's standards (I tested this on a previous release of OS X and in OS X 10.5 Apple finally warned the user about this). 1 TB hard disks with hash tables for passwords up to 14 characters have been widely available since 1 TB hard disks came out but mostly with Windows LM & NTLM hashes (currently sell for $500) (google "rainbow tables" for documentation on this topic. Web sites exist were you submit the hash and they give you the password). The location of the OS X password hashes is documented so a 5th grader with access to google could probably figure it out. I found step by step instructions last time I researched this issue. FileVault under 10.3 and 10.4 was insecure unless you knew to disable the LM and NTLM hashes, those are disabled by default under 10.5 and later. As a side note, virtually every install of Windows XP and earlier has the LANMAN (LM) hashes enabled making it truly trivial to crack their passwords, and Apple "supports" Windows File Sharing by storing your password in the LM and NTLM hashes. The other choice for Windows File Sharing on OS X is the NT hash which is only slightly stronger, but I think OS X creates them both if you turn on File Sharing in 10.5 & 10.6.

I don't know if Apple is finally using a "salt" with their password hashes, for a long time they weren't, so even with LM and NTLM disabled, cracking the OS X password hashes was doable as I think they are/were using MD5 for which rainbow tables exist and are useful if a salt is not used. Even SHA1 is believed to be at risk now.

The earliest and only rainbow table I built was for the TRS-80 Model 1 and I printed that one out. I downloaded a CD that will boot an XP machine into Linux and automatically crack its passwords if the Lanman (LM) and NT hashes (NTLM) have not been disabled, I found it helpful as I tend to forget the admin password on my home XP iMac (XP is for gaming right? ;-) ).

[ Reply to This | # ]