Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: David Cameron3
David Cameron3 Author
User level: Level 1
9 points

System Keychain Vulnerability

I have my login keychain secured by a separate password. However, the System Keychain contains the password to my network and time capsule and is not secured by a separate password. I only need to open Keychain Access, unlock the System Keychain, and enter my login password and I have access to the items.

I thought the idea behind the System Keychain was to store passwords needed for the system independent of the user and that these passwords would be secured by a system password known only to the OS. The fact that I can use my login password to access these keychain items makes the second password for my login keychain irrelevant for my network and time capsule.

Am I missing something..?

MacBook Pro Early 2008, Mac OS X (10.6), security vulnerability keychain

Posted on Sep 5, 2009 5:47 PM

Reply
9 replies
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Sep 5, 2009 5:59 PM in response to David Cameron3

You can change the password on any keychain. Also, a keychain locked with your login password is more secure than it seems. It unlocks automatically when you log in, and the login password can be reset with nothing more than a Mac OS X install disk, so it seems totally insecure. However, note that resetting the login password does not in any way affect the keychain password. If you forget your login password and reset it, your keychain will be as good as trash unless you can remember the password.

The one major vulnerability involves remaining logged in with a keychain left unlocked while your computer is unattended in an insecure location. As long as you don't do this, you're okay.
Reply
User profile for user: David Cameron3
David Cameron3 Author
User level: Level 1
9 points

Sep 5, 2009 6:14 PM in response to David Cameron3

Thanks for the response. But the System Keychain is different. When I try to change the password for it it asks (of course) for the current password. But I don't know the current password (it is not the login password). This is the crux of the matter. For some reason I can unlock and view the entries in the System Keychain using my login password but that is not apparently the keychain password. Only the OS knows the password for the System Keychain. I think it is a vulnerability.

What you describe is absolutely correct for the other keychains. It is just the System Keychain I am concerned about which has my network and time capsule passwords (only)...
Reply
User profile for user: David Cameron3
David Cameron3 Author
User level: Level 1
9 points

Sep 5, 2009 6:31 PM in response to David Cameron3

Sorry, I should have included this.

I would have thought that one wouldn't be able to unlock the system keychain or view any of the elements in it without the OS-assigned password. That does NOT seem to be the case (i.e., one can do it with the login password), which is why I think this is a vulnerability

Let's look at a scenario.

I am in my backyard connected to my network. I have 2 keychains. The login keychain is secured by 2 passwords. The system keychain is not (I have tried to change the password for the system keychain but because I don't know the OS-assigned password, I can't).

I put my Mac to sleep, which in my case will lock my login keychain. My system password is locked by default.

Someone takes my Mac and is able to guess or otherwise break my login password. I am still protected for my login keychain by a second, stronger password.

however, being mac-savvy, the thief opens keychain access and selects my *System* keychain and unlocks it. It asks for a password and the thief enters my login password. It unlocks. They then see that the System keychain contains my network password and my time capsule password. They select these and click the show password box. Again they are prompted for a password and enter the login password. They now are shown my network and time capsule password with which, assuming they are still in proximity to my wireless network, can reconfigure my time capsule, etc.

This totally defeats the purpose of being able to secure a keychain with a separate, non-login password. Of course, the System Keychain only contains passwords which are needed across all users, but these include the network and time capsule passwords which are pretty critical...

Message was edited by: David Cameron3

Message was edited by: David Cameron3
Reply
User profile for user: William Lloyd
William Lloyd
User level: Level 7
21,311 points

Sep 5, 2009 6:55 PM in response to David Cameron3

You can put these items (in particular, your network password) in a separate keychain if you wish.

But, really, this will be a pain. Do you want to have to enter a second password to be able access the network every time? Yuck 🙂

IMO, you should just choose a REALLY GOOD login password. And if you want, change it regularly. That's pretty darned secure, by most definitions of security.
Reply
User profile for user: David Cameron3
David Cameron3 Author
User level: Level 1
9 points

Sep 5, 2009 8:09 PM in response to David Cameron3

I understand, thanks.

My point is that, isn't it a vulnerability if the OS allows the login password to access items in the System Keychain, even when the System Keychain password (set by the OS) is different from the login password (set by the user and/or deciphered by a laptop thief)? At minimum, that is inconsistent with the behavior of all other keychains where the user can set a different password than the login password and thereby prevent access without a second password?

Put another way, the OS automatically puts these critical items in the System Keychain, prevents the user from changing the password to that keychain, and yet allow anyone who knows (or can figure out) my login password to access them.

I realize a strong login password is the best defense but the idea here is that two passwords are better than one, should one decide to go that route.

I am a big Apple fan but this seems like an oversight...
Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Sep 6, 2009 3:00 AM in response to David Cameron3

Someone takes my Mac and is able to guess or otherwise break my login password. I am still protected for my login keychain by a second, stronger password.


As I said before, even if your login keychain uses exactly the same password as your login password, resetting the login password will not help an attacker break into that keychain. The attacker would have to guess your login password to get access to that keychain. Of course, if you've chosen such a poor password that someone could guess it, you can hardly call that a system vulnerability!

however, being mac-savvy, the thief opens keychain access and selects my *System* keychain and unlocks it. It asks for a password and the thief enters my login password.


Again, this relies on the thief knowing your login password. However, I'm not sure what the effects of resetting the login password would be on the System keychain. I would think that the same thing would apply and you'd lose access to those passwords. But since this keychain has a different purpose than the others, maybe not. The only way to know for sure would be to test it.

the System Keychain only contains passwords which are needed across all users, but these include the network and time capsule passwords which are pretty critical...


That's assuming that resetting the password gives access, which may not be the case. Even if that is the case, those passwords are not really critical... choose a unique password for these things that you don't use for anything else. Your scenario of having someone steal your laptop yet stay on-site and mess with your Time Capsule is a bit silly. The thief already has your machine, so there's nothing on the Time Capsule that they won't already have.
Reply
User profile for user: David Cameron3
David Cameron3 Author
User level: Level 1
9 points

Sep 6, 2009 6:30 AM in response to David Cameron3

Thanks. Your points are certainly valid and I appreciate the detailed response. I realize the scenario is silly but it was meant more to illustrate the point. What you seem to be saying is, "As long as someone sets a strong enough login password, this isn't a problem" which is true, but doesn't address the point of my posting:

"My point is that, isn't it a vulnerability if the OS allows the login password to access items in the System Keychain, even when the System Keychain password (set by the OS) is different from the login password (set by the user and/or deciphered by a laptop thief)? At minimum, that is inconsistent with the behavior of all other keychains where the user can set a different password than the login password and thereby prevent access without a second password?"

Thanks again...
Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Sep 6, 2009 6:59 AM in response to David Cameron3

"My point is that, isn't it a vulnerability if the OS allows the login password to access items in the System Keychain, even when the System Keychain password (set by the OS) is different from the login password (set by the user and/or deciphered by a laptop thief)? At minimum, that is inconsistent with the behavior of all other keychains


Well, I certainly would not advise putting, say, your bank site password in the System keychain. For that matter, I wouldn't put anything there. The System keychain is, as you point out, a special case for providing specific passwords to system processes across accounts, and is only meant to be used by the system. It is a single keychain shared across all accounts. (It's in /Library/Keychains/, while all your keychains on your account will be in ~/Library/Keychains/.) Without it, you'd have to configure every wireless network on every account, which could rapidly become a pain in the butt.

Since the System keychain is designed to be accessed by every user on the machine, I don't think you can call it a vulnerability. At least, I wouldn't call it one...
Reply
User profile for user: David Cameron3
David Cameron3 Author
User level: Level 1
9 points

Sep 6, 2009 8:21 AM in response to David Cameron3

Right. I guess vulnerability may be too strong a word. However, since there is nothing to prevent users from putting into the System Keychain passwords they shouldn't, in my opinion at best this is bad security practice, not to mention inconsistent behavior.

My own two cents: I would like to see the System Keychain accessible only by the OS, not by any user with their login password (i.e., the same behavior found in other keychains). By accessible, I mean it can't be unlocked and individual items can't be viewed in the System Keychain using just a login password. The login keychain also contains the passwords found in the System Keychain so if a user wanted to see the items stored in the System Keychain, they can go there, and set whatever security they want around access to that. Let the OS (exclusively) manage the System Keychain.

Thanks for engaging...
Reply

System Keychain Vulnerability

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up