Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'The .mac Keychain Access 'not a bug' bug' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
The .mac Keychain Access 'not a bug' bug
Authored by: scaryfish on Mar 19, '03 04:20:19PM
IIRC, this has been a "problem" for quite a while.

I don't really see what the fuss is about - if your keychain is unlocked then people can access your password. Whether they do it through Keychain Access or if they use a custom program that just requests it and displays it, they can still get at it easily enough. The soludion is simple - lock your keychain when you're away from your computer.

And disable auto-login (or at least make your keychain password different from your login password so it doesn't automatically unlock at login)

---
=)


[ Reply to This | # ]

Not true!
Authored by: mingking on Mar 20, '03 01:26:38PM

It is NOT true that once you open your Keychain Access application you then automatically can see all your passwords. Each entry has an Access Control setting that says which applications can access the password. By default, the Keychain Access application itself does not have access to the passwords. If you select 'show passphrase' it will normally then ask you for the password at that time and ask you what policy you want to assign for the Keychain Access application. If you choose 'Allow Always' that means the Keychain Access application Always has access to that password without prompting. That is where the problem lies. You normally want e.g. the Mail application to have 'Always' access, which happens in a way that is not visible to anyone, but you DON'T normally want the Keychain Access application to have Always access to the password. In fact, I don't see any reason for an option like that at all. Why would you ever want to Always let one application display all of your passwords in plain text?

Security should be conservative by default. It should be very clear what the implications are of assigning a policy of Always for each application. Like I said, for e.g. Mail, that is what you want, but NOT for an application like Keychain Access.

Note this is not a problem soley with .Mac access. As noted in another post here, this could be a problem for any password entry, including those to ftp servers, bank accounts, encrypted files etc. I went through my keychain entries and found a half dozen that were set for Always access to the Keychain Access application. That is not what I ever intended. This should be tightened up.



[ Reply to This | # ]