Giving computer back to company, how to do I delete all my passwords?

[cmF]

So I need to return my computer back to work. I think a bunch of items are stored in the keychain including passwords to my Gmail, Amazon, Banks, Facebook, iTunes, etc. How do I safely remove ALL passwords that might have been stored? Thanks in advance!

 

[teidon]

This is a bit tricky question and the answer depends on how securely you want to delete them. Most people don't realise how difficult it is to actually delete files from a hard drive, and from SSD it's even more difficult.

If you are happy with deleting the files, and hoping that nobody recovers those "deleted" files: Delete your browser's cookies and other browsing data, delete Flash cookies and delete your Keychain. I don't know if there are passwords stored in other places. Keychain should be encrypted with the password you use to login to your user account, so if no-one at your company knows that password, you don't necessarily need to delete it. Google if you don't know how to get rid of those. You could also just delete your user account, it should get rid of all of that. If you don't have proper permissions to delete your user, you could just delete everything in your home directory. Do notice that most of the thinks you want to delete are in the hidden Library folder (/Users/username/Library).

If you want to be sure that those files aren't recoverable... You need to some how write zeroes over those deleted bits. If you are using El Capitan, the secure empty trash feature was removed because it can't be guaranteed that it works on SSD disks. El Capitan should have a command line tool called "srm" (secure remove) which let's you delete individual files or directories. I'm not sure if it properly works on SSD disks (it seems to be removed from macOS Sierra Public Beta 1). If your company doesn't mind it, you could also wipe the computer and zero format the disk while you do so. It deletes _everything_ from the computer and does so in a way that nothing can be recovered.


When zeroing files or whole disk you have a choice for how many times the bits are written over. One time should be enough if any government agents (or the equivalent in the criminal/terrorist side of things) aren't after your files. 7 times if you are paranoid or the data is very sensitive. 35 times is overkill, but it makes sure no-one can recover anything.

 

[JohnDS]

The easiest way to delete your passwords, etc. is to create a new administrative user. Then log in as the new user and go to the Users and Groups Preference pane and delete the old user, choosing the option to delete the home folder securely. Then delete the home folder securely option is still available in El Capitan.
[doublepost=1468072738][/doublepost]The above should be perfectly safe for most purposes (provided you always stored data in your Home folder and never in the root of the drive.

However, if you want to be perfectly safe, the thing to do is to turn on FileVault (in System Preferences > Security and Privacy) to encrypt your drive. Let the encryption complete (which may take several hours, depending on the size and speed of your drive.)

Then boot into the recovery partition by holding down Command-R. Go to Disk Utility and select MacIntosh HD and the Erase. You will be asked to unlock or unencrypt the partition. Choose "unlock" and enter your password.

Once the partition is erased, back out of Disk Utility and choose to re-install the operating system (or leave it up to your company to do so.)

See: http://www.macworld.com/article/2906499/mac-911-how-to-erase-your-macs-hard-drive-the-right-way.html

 

[Weaselboy]

So I need to return my computer back to work. I think a bunch of items are stored in the keychain including passwords to my Gmail, Amazon, Banks, Facebook, iTunes, etc. How do I safely remove ALL passwords that might have been stored? Thanks in advance!

https://support.apple.com/en-us/HT202860#keychain

Just reset the Keychain.

 

[hallux]

The easiest way to delete your passwords, etc. is to create a new administrative user. Then log in as the new user and go to the Users and Groups Preference pane and delete the old user, choosing the option to delete the home folder securely. Then delete the home folder securely option is still available in El Capitan.
[doublepost=1468072738][/doublepost]The above should be perfectly safe for most purposes (provided you always stored data in your Home folder and never in the root of the drive.

However, if you want to be perfectly safe, the thing to do is to turn on FileVault (in System Preferences > Security and Privacy) to encrypt your drive. Let the encryption complete (which may take several hours, depending on the size and speed of your drive.)

Then boot into the recovery partition by holding down Command-R. Go to Disk Utility and select MacIntosh HD and the Erase. You will be asked to unlock or unencrypt the partition. Choose "unlock" and enter your password.

Once the partition is erased, back out of Disk Utility and choose to re-install the operating system (or leave it up to your company to do so.)

See: http://www.macworld.com/article/2906499/mac-911-how-to-erase-your-macs-hard-drive-the-right-way.html

The problem with this is that it's a company computer. The company possibly has an interest in the company data on the system, they really couldn't care less about personal data or passwords. Wiping the computer before return could be seen as a breach of contract, any data generated for the company during employ is property of the company usually. Also, there may be regulatory reasons for the company to have to maintain a copy of the drive or any data that was on the drive.

 

[grahamperrin]

… ALL …

Including passwords that were stored without an (OS X) keychain?

Did you, for example, allow Firefox to save passwords without Keychain Services Integration?

 

[Alameda]

The problem with this is that it's a company computer. The company possibly has an interest in the company data on the system, they really couldn't care less about personal data or passwords. Wiping the computer before return could be seen as a breach of contract, any data generated for the company during employ is property of the company usually. Also, there may be regulatory reasons for the company to have to maintain a copy of the drive or any data that was on the drive.

I assume that all of your company's data is in three places:
1) /Documents
2) /Desktop
3) E-mail

If you create a new user, you can easily move the files from Desktop and Documents to the new user. That leaves you only with your email files. It depends on which email system your company uses. Most likely, all of the email is on your company's server anyway and they have full access to it.

So my steps would be:
1) Backup the drive to a personal USB drive using Time Machine
2) Create the new user. Do not visit any websites as this new user
3) Move your Desktop and Documents files to the new user
4) Securely delete the old user
6) Turn in the computer

 

[SoundsEclectic]

The easiest way to delete your passwords, etc. is to create a new administrative user. Then log in as the new user and go to the Users and Groups Preference pane and delete the old user, choosing the option to delete the home folder securely. Then delete the home folder securely option is still available in El Capitan.
[doublepost=1468072738][/doublepost]The above should be perfectly safe for most purposes (provided you always stored data in your Home folder and never in the root of the drive.

However, if you want to be perfectly safe, the thing to do is to turn on FileVault (in System Preferences > Security and Privacy) to encrypt your drive. Let the encryption complete (which may take several hours, depending on the size and speed of your drive.)

Then boot into the recovery partition by holding down Command-R. Go to Disk Utility and select MacIntosh HD and the Erase. You will be asked to unlock or unencrypt the partition. Choose "unlock" and enter your password.

Once the partition is erased, back out of Disk Utility and choose to re-install the operating system (or leave it up to your company to do so.)

See: http://www.macworld.com/article/2906499/mac-911-how-to-erase-your-macs-hard-drive-the-right-way.html

This is a company computer, the OP is not selling the computer to someone off Craigslist. LOL

I'm a IT manager and systems admin (Mainly for Windows environments), in my 15 years in IT I've never had a user wipe the drive or even really delete too much off their computer when they returned it. If an employee leaving the company wiped the drive, that would be a red flag. The computer is property of the company, not the employee. All data on the computer is intellectual property of the company as well. Wiping the drive intentionally means you are destroying company data.

Like a poster said above, just change the keychain password and delete your browser cache. Even if the user account is reset, the keychain will not be accessible.

 

[Apple fanboy]

This is a company computer, the OP is not selling the computer to someone off Craigslist. LOL

I'm a IT manager and systems admin (Mainly for Windows environments), in my 15 years in IT I've never had a user wipe the drive or even really delete too much off their computer when they returned it. If an employee leaving the company wiped the drive, that would be a red flag. The computer is property of the company, not the employee. All data on the computer is intellectual property of the company as well. Wiping the drive intentionally means you are destroying company data.

Like a poster said above, just change the keychain password and delete your browser cache. Even if the user account is reset, the keychain will not be accessible.

Lucky you. We had a guy who attempted to wipe his hard drive and reinstall Windows.
When our IT guy looked into it, the files that he found meant he had to inform the MD and the police were called.
He wasn't the brightest when it came to covering his tracks.
I wonder if he's out yet?

 

[Alameda]

Like a poster said above, just change the keychain password and delete your browser cache. Even if the user account is reset, the keychain will not be accessible.

I have a question:
Many Mac users use two or three browsers -- Chrome, Safari and Firefox. Will deleting the browser cache on all three definitely delete all stored passwords?

 

[circatee]

I have a question:
Many Mac users use two or three browsers -- Chrome, Safari and Firefox. Will deleting the browser cache on all three definitely delete all stored passwords?

I recommend deleting the cache and in settings on the browsers there is a stored\manage password box. Clear the items in there, too...

 

[thekev]

Why not inquire with the IT department as to their policies on this? There are too many silly assumptions on here as to what is considered okay. Obviously reset keychains and clear your browser cache. The rest of it is potentially very bad advice.

If you are truly concerned about this, treat company computers as public computers when it comes to personal data. Keep your personal stuff on your personal electronics. It won't help this time, but you can avoid doing the same thing in the future.

Lastly, why wouldn't you simply update your passwords at this point? That's the most obvious and logical thing to do, yet no one else mentioned it.

 

[\-V-/]

What browser(s) were you using?

 

[grahamperrin]

… Will deleting … definitely delete …?

No.

Deletion of data typically does no more than change the directory for the space used by that data.

 

[Alameda]

No.

Deletion of data typically does no more than change the directory for the space used by that data.

Sorry, what I meant was whether it will delete all of the browsing data, saved passwords, etc. I wasn't asking how the file system works.

 

[JohnDS]

It depends on what you mean by "delete". What Graham is saying is that anything that you "delete" on a computer is generally speaking easily recoverable and can be undeleted unless you use one of the methods above to securely delete the data. So it depends on whether you are trying to hide the data from a casual users, or from someone with a few computer skills.

 

[Alameda]

It depends on what you mean by "delete". What Graham is saying is that anything that you "delete" on a computer is generally speaking easily recoverable and can be undeleted unless you use one of the methods above to securely delete the data. So it depends on whether you are trying to hide the data from a casual users, or from someone with a few computer skills.

In this person's case, he must first delete the data (delete all browser settings) and then, optionally, erase the free space.

 

[thekev]

It depends on what you mean by "delete". What Graham is saying is that anything that you "delete" on a computer is generally speaking easily recoverable and can be undeleted unless you use one of the methods above to securely delete the data. So it depends on whether you are trying to hide the data from a casual users, or from someone with a few computer skills.

That's why he should simply update all passwords. It eliminates the issue of doubt here. I would imagine most IT departments have some policy in place for securely wiping user data before hardware is reassigned, but invalidating old passwords still seems like the most secure option.

 

[grahamperrin]

At a glance, I have around five hundred passphrases. If I look in depth, I'll find that some of those phrases relate to servers or services that no longer exist. I'll find a large number that can not be changed without triggering an e-mail from a service provider and then responding to that e-mail. Critically: for some servers, it will be inappropriate for me to change the phrase. My case aside …

… seeing that the opening poster uses a notebook, and assuming that his or her passwords are not limited to keychains, I recommend the combination of:

1. attention to the System keychain, which is not in the home directory – there may be passwords for home networks, and so on; and then
   
2. deletion of the home directory (or of all parts that might contain a passphrase) coupled with whatever will prevent recovery of deleted data.