Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Keychain - Security vulnerability?

S

superxero3

macrumors regular
Original poster
Oct 15, 2008
237
0
I noticed that you can use the command "security" in terminal to access keychain access. After some messing around I found this command:

Code: 
security dump-keychain -d

This will go through every item in the keychain and dump the information and the password in clear text. Now there is some security, a little pop up will come up asking you to accept, and NOT ask for a password.

The only way I have found that i can stop this command from dumping my decoded password is using this command:

Code: 
security lock-keychain

This will make it so the command will require a password, but there are drawbacks, everytime a program like chrome or skype wants to use my information it prompts me for a password, and when i put it in it unlocks my keychain again! has anyone found this before/know a way to fix this problem??

btw I'm on 10.5.8, so maybe this isn't an issue in 10.6. I was thinking of taking away execute permissions on /usr/bin/security for everybody except root:
Code: 
sudo chmod 500 /usr/bin/security
...But i don't know if this would cause any problems or programs to not work.
 
From Keychain Access you can view your passwords in plain text as well. You're in your account, which is why you can see them. If you sign in as another user you'll find that you cannot view other user's keychain passwords. There's no security issue here.
 
angelwatt said:
From Keychain Access you can view your passwords in plain text as well. You're in your account, which is why you can see them. If you sign in as another user you'll find that you cannot view other user's keychain passwords. There's no security issue here.
Click to expand...

Yeah but in order to actually check "show passwords" it requires your login password, so you need to know that password.

With terminal you don't need the login password, so someone could just walk up to your computer, dump the passwords without your login password, and they are good to go.
 
superxero3 said:
Yeah but in order to actually check "show passwords" it requires your login password, so you need to know that password.

With terminal you don't need the login password, so someone could just walk up to your computer, dump the passwords without your login password, and they are good to go.
Click to expand...

Well, that's why you should set your keychain to auto-lock after a specified time, i.e., 20 minutes, and also should lock your machine when stepping away from it if there's other people around you don't necessarily trust. I keep the keychain menu item around so I can easily lock my keychain and lock my screen. The security "issue" you're seeing is only because the keychain is unlocked, which means it's open, so that data is available. With the keychain locked you get prompted for a password before being shown the password data. And as I said, locking is possible through the keychain menu item, Terminal isn't needed.

To turn on Keychain menu item:
  1. Open Keychain Access
  2. Go to Preferences
  3. On General tab, make sure "Show Status in Menu Bar" is checked
 
pit29 said:
Where can you do that? Didn't find it, surprisingly...
Click to expand...

I'm not at my Mac, but from memory,
Keychain Access > Edit > Change (or Configure) Keychain.

It's not in the preferences, which is where most people first look.
 
Thanks - I'm almost sure I have seen it sometime, but didn't find it when I was looking for it today. It's well hidden (- id that in line with Apple's guidelines?)

Anyways. I noticed that if I lock the login keychain, Mail.app always asks me to enter the password and unlocks it again when it checks for mail. That's annoying, and puts me in a dilemma - security or convenience? Though to me it seems that there should be a way to lock the login keychain AND have Mail check for mail automatically...
 
I feel convenience winning, too. Especially if there is no way to have the login keychain locked but the Mail login passwords unlocked.
 
pit29 said:
I feel convenience winning, too. Especially if there is no way to have the login keychain locked but the Mail login passwords unlocked.
Click to expand...

One solution, make another keychain (separate from login) and assign the Mail password to it and keep it unlocked, while you let login keychain remain locked.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back