It appears that at least Mac OS X 10.3.X stores passwords in plain-text.

Running this command "sudo strings -8 /var/vm/swapfile0 | grep -A 4 -i longname" Or one of the various other swap files in the directory(e.g. /var/vm/swapfile3) can yield your password in plain-text.

Although I realize that swap files require root access and/or physical access, the swap files are simply "ready to be deleted" when Mac OS X reboots, they are not purged. One could possibly enter single-user mode or boot with the installation disks and check if the passwords are still stored somewhere.

This could render FileVault and Keychain encryption moot.

Found on BugTraq: http://securityfocus.com/archive/1/367116/2004-06-24/2004-06-30/2

That's pretty serious! I thought passwords were supposed to go through a hash function so that the real password wouldn't be stored anywhere on the system after it's creation.

Yes, the password is hashed, but that's a different part of the process. What is happening here is that the login panel is accepting the plaintext password from the user (which is then hasned and compared against netinfo), but that plaintext version isn't being wiped after it is used. They'll be able to fix this one, but sheesh, someone at Apple must be feeling awfully silly right now.

Yes, the password is hashed, but that's a different part of the process. What is happening here is that the login panel is accepting the plaintext password from the user (which is then hasned and compared against netinfo), but that plaintext version isn't being wiped after it is used. They'll be able to fix this one, but sheesh, someone at Apple must be feeling awfully silly right now.
Ah .. ok ... that also explains why it would be swapped out to disk. The login panel isn't used after login, and (some part of) it isn't released from memory, apparently, so it will eventually be swapped out to disk after some user activity.

Yeah, the login window is a daemon, it hangs around as long as the GUI is running.

wow... it works. :eek:

well, it could be worse... lots worse. i guess we can be expecting a security update any day now?