Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'A stolen Mac and Keychain Access really secure?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A stolen Mac and Keychain Access really secure?
Authored by: davidefrank on Sep 24, '04 03:57:04PM

This gets awkward to explain, but here goes.

Let's say Fred and Barney both have accounts on a Mac OS X system. Suppose Fred wants to break into Barney's account. If Fred is an administrator, he can just change Barney's password via the Accounts pane of System Preferences. If Fred is NOT and administrator, or perhaps Fred has stolen Barney's machine, he could change Barney's password by booting the system from the Mac OS X installer CD. (Unless booting from the CD is disabled in Open Firmware.)

Now Fred can log in as Barney. But Fred still cannot unlock Barney's keychain! Fred only has access to Barney's local account, NOT to every account defined in Barney's keychain.

Here's why. When a user changes THEIR OWN password in the Accounts pane of System Preferences, their keychain password is changed to match. BUT if an admin user changes ANOTHER user's password, the keychain password is NOT automatically updated. The same is true for passwords reset via the startup disk.

(A "normal" user - ie not an administrator - can't change another user's password. Thank goodness!)

I had to be convinced that Keychain represented a net gain in security. Overall I believe it does in fact increase the security of the user's many login identities, while it also adds to the convenience of accessing many accounts. Not a bad accomplishment!

-Dave Frank

[ Reply to This | # ]