Previous 1 2 Next 15 Replies Latest reply: Dec 4, 2006 6:05 AM by Gnarlodious
Don Rindfleisch Level 1 Level 1 (15 points)
I keep the keychain locked all the time, and I am getting tiried of typing in the password all the time. My question is, if I leave the keychain unlocked all the time, how secure are my passwords?

G5/ IMac, Mac OS X (10.4.8)
  • Network 23 Level 6 Level 6 (11,870 points)
    I think this is a two-part answer. Leaving your keychain unlocked means anyone can walk up to your computer and use the password accounts, but the actual passwords themselves should be safe.

    Example: If you have an account at Bank A and someone uses your computer and goes to the Bank A home page, the Keychain will probably fill in your username and password and be able to get into your account. However, if that person wants to find out what the actual password itself is, I don't think they will be able to because the Keychain fills in the passwords with dots, and I think that even if the Keychain is unlocked they would have to enter the Keychain password to see what passwords are in the Keychain. And they wouldn't know that.

    I think you have to consider your computer's physical security. If it's a home desktop and it's often shut down when you're out, then it might be OK to leave the keychain unlocked because I think someone would have to enter the Keychain password the first time it gets used on a secure item after startup.

    I have a desktop and a laptop. I set a much longer keychain timeout on the desktop, because my home is relatively secure behind a locked unit door and a locked building door. On my laptop, I have a short 5-minute keychain timeout because I am allowing for the possibility that my laptop could be stolen since I take it around town. A 5-minute timeout limits the damage a thief could cause.

    Also, if you have better security methods, locking the keychain may be redundant and not critical. If you use the locking screen saver, for instance, maybe you don't need to lock the keychain.
  • Don Rindfleisch Level 1 Level 1 (15 points)
    Thank you that answers one of my questions, but, could someone on the internet hack into an unlocked keychain and my passwords?
  • macjack Level 9 Level 9 (50,625 points)
    Yes. Theoretically, any Mac can be cracked/hacked. If you use common sense the odds against it happening are long.

    You can protect yourself by using your firewall and/or a hard wired router, downloading only from "trusted" sites, installing all security updates and being careful about what you give administrative power to.

    Don't use Limewire or any other P2P service to download your software, get it from reputable sources. In addition, always keep at least your users backed up, preferably a clone of your entire system on a separate disk. And put your sensitive passwords, bank accounts, credit card numbers in a "secure note" in a new keychain or in an encrypted folder.


    -mj
    macjack@gmail.com
  • Gnarlodious Level 4 Level 4 (3,225 points)
    Your passwords are safe because Keychain requires typing in a Keychain password to reveal an individual password. Each password has an option to set the security level, by default each password's security level requires a keychain passsword to reveal the password.

    Cracking a Keychain password is extremely difficult, assuming you have a strong Keychain password. If you are a small fish it is unlikely anyone would be that interested in trying. As other posters pointed out, physically securing your Mac is the first line of defense, if you are in a maximum-security situation.
  • Don Rindfleisch Level 1 Level 1 (15 points)
    Thanks again, I am a guppy in this pond.
  • macjack Level 9 Level 9 (50,625 points)
    Hi Gnarlodious. first of all I want you to know that I haven't forgotten your Finder bug report or the workaround. I ran into the issue a couple of times and wanted to try to troubleshoot it a bit more, if I could. I also haven't seen any particular set of events that trigger it. Have you made any more progress?

    On the issue of keychain security, the point I'm making is not so much about passwords which a black hat wouldn't be as interested in as goodies like bank account numbers, credit card numbers, brokerage account numbers and other personal data. A lot of folks have these floating around freely in their home folder.

    I agree that is unlikely to get hacked but who wants to take the chance on ID theft? A good ID fetches between $2500 and $5000 USD in those chat rooms. Not bad for a couple of hours work or less, depending on how easy you make it.

    As for physical security, all bets are off the minute someone shows up with a retail install disk.

    The best you can hope to be is a frustrating target.



    -mj
    macjack@gmail.com
  • Gnarlodious Level 4 Level 4 (3,225 points)
    Hi Macjack. I don't know which bug you are talking about, it's a rather long list. Logging in to http://bugreport.apple.com/ I see that most of them are still open.

    "Floating around freely" doesn't sound like Keychain. For any household type user a non-dictionary password 8 characters long should be secure enough. Whether or not the keychain is auto-locking is a choice the user needs to make, and of course as the Mac becomes more popular the security situation will need periodic re-evaluation.

    The chance of a malicious attack on Keychain is very slim for the average user. Even if as you say, an installer disk resetting your password will not expose the keychain. I have never heard of a cracker breaking into a keychain file.
  • macjack Level 9 Level 9 (50,625 points)
    Let me try to be clearer.

    Most users don't keep bank account numbers, checking account numbers, etc. in their keychain. They are not passwords. Most users have them "floating around freely" not in Keychain but in whatever files they choose for them. That is why I suggested putting them in a "secure note" in a new Keychain. I also suggest a new Keychain to be even more frustrating.

    No, an installer disk won't expose Keychain items but again passwords are not the "good stuff", not what the miscreants are after.



    -mj
    macjack@gmail.com
  • Gnarlodious Level 4 Level 4 (3,225 points)
    OK. I see what you mean. Yes that is horribly insecure, a shell script could find credit card number patterns in seconds.
  • Network 23 Level 6 Level 6 (11,870 points)
    I keep identity related documents (electronic receipts and statements, accounting program data files, etc.) in an encrypted disk image that is only mounted when needed. There are a lot of data types that can't be stored in a Secure Note (i.e. most of them).
  • Gnarlodious Level 4 Level 4 (3,225 points)
    Network23: (a reference to Max Headroom?)

    You said:

    Keychain will probably fill in your username and password and be able to get into your account

    Most (if not all) financial institutions disable auto-filling of login fields due to the insecurity of auto-filling. Some of my accounts have the username filled in but never the password.
  • Network 23 Level 6 Level 6 (11,870 points)
    Most (if not all) financial institutions disable
    auto-filling of login fields due to the insecurity of
    auto-filling. Some of my accounts have the username
    filled in but never the password.


    Good point but I think you have to watch carefully to understand what is really going on with a page. Some web pages can be filled in two ways. One is the web page's own cookie-based autofill. The other is the Keychain. If I'm not mistaken, the Keychain can be used to fill in some web pages where the web page itself won't do autofill. I haven't worked out the specifics, because on accounts I want to protect the most, I don't use cookie autofill or the Keychain - I want to type it in from my head. (Avoid doing this on an unfamiliar computer that could have a keylogger installed, such as some random Internet cafe on your travels - bring your own Mac laptop.)

    When a web site asks me if I want to use cookie-based "remember me" autofill I usually say no, but let Keychain do it because I prefer the login to be stored inside secure Keychain instead of out in some cookie.

    One institution I use actually has one page that the Keychain can fill in and another where it doesn't work. When I get lazy I go to the page where the Keychain can remember it for me.

    Network23: (a reference to Max Headroom?)


    totally. I loved that show.
  • Gnarlodious Level 4 Level 4 (3,225 points)
    On pages that do not respond to autofill, the web author has disabled that feature with a Java property on the page. Some browsers (iCab is what I use) have an overriding autofill feature that allows you to set autofill words so you just type the first character. It works well for banks that force you to login with a 16 digit account number while they disable autofill :=)

    I agree about Max Headroom. Coolest show ever on TV.
  • William Worthington Level 1 Level 1 (25 points)
    The "Unlock Keychain" window keeps popping up on my Macbook but I don't know the password. How do I fix this? This annoyance "Migrated" from my old imac computer to this one....
Previous 1 2 Next