About Adam Knight
Location
Austin, TX
Home page/site
http://www.hopelessgeek.com/
Author Biography
Adam Knight is one of the founders of Mac Geekery and is a geek at heart. Programmer by day, hacker by night, his daily life revolves around the Macintosh platform, which he has been a user and programmer for since the early days of System 7 when his LCII replaced his Apple //c.
In-between tech jobs, he’s managed to learn the basics of any web hacker: PHP, MySQL, Perl, Apache, Linux, *BSD, and the intricacies of ./configure —prefix=~/bombshelter/. Today, codepoet is concentrating on blogging again, writing some software for the Mac by himself (including Notae) and for his company (such as Photonic) and has a few other toys coming out soon. Bug him over AIM or email [link fixed].
“Put a link in your dock and don’t save the password in the keychain (ever)”
Why shouldn’t we store a password in the keychain?
I’m a new mac user and I have stored a number of account in the keychain. I use password safe on my pc and have been looking for something similar for my mac. I have been recommended to use the internal keychain program..
Regards,
manne
/manne
When dealing with encrypted disk images, it’s unwise to put the password in the keychain. This is not because of some insecurity with how that’s stored, but because while the keychain is unlocked, anyone that comes to the computer can open the disk image without a prompt. It’s best to have to use the password every time for something you’re intentionally putting behind bars and not something you’re forced to lock up based on someone else’s decision.
The keychain’s strength is keeping things secure while making them simple. When you’re keeping something secure intentionally, you shouldn’t make it any easier for would-be attackers to get in, and saving the password somewhere other than your head is one of those things that makes it easier.
Can you recommend a good application for saving passwords/accounts?
I’m using Password safe on my WinXP:
http://passwordsafe.sourceforge.net/
And I’m looking for something similar for mac os x (intel).
/manne
/manne
The Keychain Access program built-in to Mac OS X offers secure notes as well as keeping login information. You could create another keychain, one you normally keep locked, and put your information in there.
The default behavior for the keychain is to unlock at login and to stay unlocked until logout or when manually locked. As you point out, you can create another keychain with a different password than your account so that you can unlock it manually when you need it.
Of course, then the better advice is to use a separate keychain as your default keychain all the time. That way, it is only unlocked when you authorize it, and if you set it to auto-lock after a minute or so, the danger of someone else getting on your machine and accessing your keychain is pretty moot. And then, if you only need to remember your account password and your keychain password, you can use extremely secure passwords like the ones generated here: https://www.grc.com/passwords.htm (or even with the password assistant that is buried in the Keychain app).
Since resetting the account password will not affect your non-login keychain, you can feel secure even if you have lost physical access to your computer. Of course, your keychain password shouldn’t be “cookie2” or something similar if you’re really concerned about security.
Apologies for adding to an old thread; I just feel frustrated that this isn’t the default behavior in Keychain when it really should be.
It’s undeniably true that once your computer is in someone else’s possession, security is out the window. There is, however, an intermediate solution that will slow down less-than-proficient attackers. (i.e., it will keep the ‘honest’ people honest.)
It is Apple’s Open Firmware Password application, and is a free download [http://www.apple.com/downloads/macosx/apple/openfirmwarepassword.html] for Panther users. It is already present on the Tiger installation / restore disc.
In Apple’s words, the application:
“.. prevents others from starting up the computer from a volume other than the one you have chosen as the startup disk (chosen in the Startup Disk preference panel within the System Preferences.) Once security is enabled, you cannot startup from other devices such as an external FireWire disk, a CD-ROM drive, or another partition or disk inside the computer.”
I would note that it also prevents the computer from being placed into Firewire Target mode. Yes, one could physically remove the drive and place it in another Mac — but again, this is meant to prevent opportunistic snooping, not a direct and determined attack.
It’s worth noting that the ONLY way of bypassing open firmware is if you have physical access to the machine. Either by taking the drives out, but also there is a way by removing some ram to proove to the computer you have internal access and thus mght aswell give up the open firmware control, just incase you do forget it. But if you soldered you computer closed, pad locked and chained it together, I’m betting whoever stole it would just dump it
If you want your computer back! youd be better investing some time into securing your private files in encrypted disk images or file vault, and allowed the thief access to everything else, while in the background trying to make connection to the net to inform you of its whereabouts and activity to help catch them and retrieve your beloved computer!