|
Mac GeekeryGet your geek on. |
|
blog advertising is good for you
recent popular content
User login
|
Alex Coles asks: QuestionI’m a recent switcher and one of the (many) things which attracted me to the Mac was its security. However, I booted from the OS X DVD that came with my Intel iMac and was concerned to see an option offering me the ability to reset my administrator password. If my computer gets stolen, surely it’s not that easy for someone to access all my data? In a panic, I’ve enabled FileVault, but I’ve since read that this stores all of your stuff in a disk image which has been known to become corrupted. Plus, several times I’ve shut my Mac down and walked away, only to find when I came back that it didn’t shut down at all, but stopped with a message telling me that my FileVault is taking up too much space and would I like to recover the space? Oh, for an “Always Retrieve Space” checkbox here. AnswerOf course it’s that easy, it’s a Mac. Seriously, unless your data is encrypted then it’s trivial to get to it if you have physical access to the machine or hard drive, no matter the platform. If you have an unencrypted Windows volume, Mac or Linux would be happy to mount the drive and give you access to all the files without question. Similarly, if you connect a Mac over FireWire target mode you can conveniently check the “Ignore permissions on this volume” checkbox in the volume’s information window and have full access to the drive’s contents. That’s just how computers work. This isn’t to say there aren’t ways around it, but it is to say that you should expect that if someone has physical access to your computer, you’re screwed. Period. They have your data and nothing you did to protect it matters anymore. Unless, of course, you encrypted the important stuff. So as you’ve discovered, you can enable FileVault, the overreactive beast of the encryption world. Don’t get me wrong, it’s a nice hack and a neat idea, but it’s still a hack and causes all kinds of crazy problems with certain programs (iLife programs in particular really dislike it). The better solution is to determine exactly what information you want protected and then put that on a custom encrypted disk image (Disk Utility can make one for you). Put a link in your dock and don’t save the password in the keychain (ever). That’s the best way to use a disk image for this kind of thing. The key to security, as I’ve said before, is to never let go of the machine. If you hand it to someone, do not trust the system to keep that person out. Instead, you should trust that person not to try.
About Adam Knight
 Author Biography Adam Knight is one of the founders of Mac Geekery and is a geek at heart. Programmer by day, hacker by night, his daily life revolves around the Macintosh platform, which he has been a user and programmer for since the early days of System 7 when his LCII replaced his Apple //c. In-between tech jobs, he’s managed to learn the basics of any web hacker: PHP, MySQL, Perl, Apache, Linux, *BSD, and the intricacies of ./configure —prefix=~/bombshelter/. Today, codepoet is concentrating on blogging again, writing some software for the Mac by himself (including Notae) and for his company (such as Switchblade) and has a few other toys coming out soon. Bug him over AIM or email [link fixed]. |
“Put a link in your dock and don’t save the password in the keychain (ever)”
Why shouldn’t we store a password in the keychain?
I’m a new mac user and I have stored a number of account in the keychain. I use password safe on my pc and have been looking for something similar for my mac. I have been recommended to use the internal keychain program..
Regards,
manne
When dealing with encrypted disk images, it’s unwise to put the password in the keychain. This is not because of some insecurity with how that’s stored, but because while the keychain is unlocked, anyone that comes to the computer can open the disk image without a prompt. It’s best to have to use the password every time for something you’re intentionally putting behind bars and not something you’re forced to lock up based on someone else’s decision.
The keychain’s strength is keeping things secure while making them simple. When you’re keeping something secure intentionally, you shouldn’t make it any easier for would-be attackers to get in, and saving the password somewhere other than your head is one of those things that makes it easier.
Can you recommend a good application for saving passwords/accounts?
I’m using Password safe on my WinXP:
http://passwordsafe.sourceforge.net/
And I’m looking for something similar for mac os x (intel).
/manne
The Keychain Access program built-in to Mac OS X offers secure notes as well as keeping login information. You could create another keychain, one you normally keep locked, and put your information in there.
The default behavior for the keychain is to unlock at login and to stay unlocked until logout or when manually locked. As you point out, you can create another keychain with a different password than your account so that you can unlock it manually when you need it.
Of course, then the better advice is to use a separate keychain as your default keychain all the time. That way, it is only unlocked when you authorize it, and if you set it to auto-lock after a minute or so, the danger of someone else getting on your machine and accessing your keychain is pretty moot. And then, if you only need to remember your account password and your keychain password, you can use extremely secure passwords like the ones generated here: https://www.grc.com/passwords.htm (or even with the password assistant that is buried in the Keychain app).
Since resetting the account password will not affect your non-login keychain, you can feel secure even if you have lost physical access to your computer. Of course, your keychain password shouldn’t be “cookie2” or something similar if you’re really concerned about security.
Apologies for adding to an old thread; I just feel frustrated that this isn’t the default behavior in Keychain when it really should be.
It’s undeniably true that once your computer is in someone else’s possession, security is out the window. There is, however, an intermediate solution that will slow down less-than-proficient attackers. (i.e., it will keep the ‘honest’ people honest.)
It is Apple’s Open Firmware Password application, and is a free download [http://www.apple.com/downloads/macosx/apple/openfirmwarepassword.html] for Panther users. It is already present on the Tiger installation / restore disc.
In Apple’s words, the application:
“.. prevents others from starting up the computer from a volume other than the one you have chosen as the startup disk (chosen in the Startup Disk preference panel within the System Preferences.) Once security is enabled, you cannot startup from other devices such as an external FireWire disk, a CD-ROM drive, or another partition or disk inside the computer.”
I would note that it also prevents the computer from being placed into Firewire Target mode. Yes, one could physically remove the drive and place it in another Mac — but again, this is meant to prevent opportunistic snooping, not a direct and determined attack.
It’s worth noting that the ONLY way of bypassing open firmware is if you have physical access to the machine. Either by taking the drives out, but also there is a way by removing some ram to proove to the computer you have internal access and thus mght aswell give up the open firmware control, just incase you do forget it. But if you soldered you computer closed, pad locked and chained it together, I’m betting whoever stole it would just dump it
If you want your computer back! youd be better investing some time into securing your private files in encrypted disk images or file vault, and allowed the thief access to everything else, while in the background trying to make connection to the net to inform you of its whereabouts and activity to help catch them and retrieve your beloved computer!