How secure is keychain?

[Celeron]

Having recently completely completely switched from the PC to the Mac (new Mac Pro, woot) I've been without a password manager. On the PC I use the open source KeePass program. It isn't flashy or anything like that, but it gets the job done. I've read that one can use OS X's keychain app for similar functionality.

Has anyone used it for this purpose?

How secure is keychain?

Thanks in advance!

 

[mad jew]

It's part of the system, so most people will be using it without even realising. I use it and find it to be extremely secure.

 

[CalBoy]

Personally, I find the idea of Keychain to be a bit ironic. Perhaps it's just simple paranoia, but I'd prefer all of my passwords to be stored in only one place: my head. I feel that while it's a bit inconvenient, it is safer overall.

 

[XnavxeMiyyep]

You will find Keychain Access in /Applications/Utilities.

With your root password, you can view nearly every saved password on your computer.

 

[killerrobot]

Personally, I find the idea of Keychain to be a bit ironic. Perhaps it's just simple paranoia, but I'd prefer all of my passwords to be stored in only one place: my head. I feel that while it's a bit inconvenient, it is safer overall.

Yeah, I totally agree. And if you are freaked out about security at all, that's the only way to keep it truly safe and out of other people's hands.

 

[CalBoy]

You will find Keychain Access in /Applications/Utilities.

With your root password, you can view nearly every saved password on your computer.

So this means that with a login password, one can know every bank password, credit card login, etc? Seems my hunch about Keychain was right all along.

 

[povman]

With your root password, you can view nearly every saved password on your computer.

What?? Have you actually done that? From the Apple doc:

All of the password data in the keychain is protected using the Triple Digital Encryption Standard (3DES).

That means you can ONLY get to the keychain if you know its password. On the other hand, if you forget the password, you're screwed. By default your login keychain uses the same password as your user account, so it can be unlocked when you login. Otherwise you can turn off 'Synchronise login keychain password' and 'Set login keychain as default'.

Also, 'nearly every saved password' seems to imply you can see login passwords, but you can't. They're stored as a hash of your real one so it's really, really hard to work out what someone's password is.

 

[Shadow]

3DES sucks though, AES is where its at.

 

[XnavxeMiyyep]

That means you can ONLY get to the keychain if you know its password.

Right, the root password. I use it to check my AIM and MSN passwords when I forget.

If you can access Keychain, you probably already know the login password.

 

[povman]

Right, the root password. I use it to check my AIM and MSN passwords when I forget.

If you can access Keychain, you probably already know the login password.

You implied that if a user knew the 'root' password, the user would then know everyone's password on the system. Not true.

a) Mac OS X doesn't even have root enabled by default
b) If you know someone else's password, and if they haven't set a different password for their keychain (you can do that), then logically you can access their keychain. If someone knows your password, they get your stuff. It's like if someone copied a key to your house. (whoops!)
c) Even if the root account was enabled, and someone could get in, doesn't mean they can access every other user's keychain. They're encrypted with the users' particular passwords!

If you want to set a keychain password different to your login, open Keychain Access, Edit->Change Password for Keychain "login". Then when someone finds out your user password, they still won't have access to your keychain.

 

[mad jew]

So this means that with a login password, one can know every bank password, credit card login, etc? Seems my hunch about Keychain was right all along.

If your bank allows Keychain to remember your login settings then you need to talk to your bank about getting a more secure website. Bank websites should not give you the option to save your login details. Similarly, credit card information would genberally be handled by the specific browser's AutoFill feature rather than Keychain. I can't speak for all browsers, but I know Safari gives me the option not to remember certain aspects of its AutoFill.

 

[XnavxeMiyyep]

You implied that if a user knew the 'root' password, the user would then know everyone's password on the system. Not true.

a) Mac OS X doesn't even have root enabled by default
b) If you know someone else's password, and if they haven't set a different password for their keychain (you can do that), then logically you can access their keychain. If someone knows your password, they get your stuff. It's like if someone copied a key to your house. (whoops!)
c) Even if the root account was enabled, and someone could get in, doesn't mean they can access every other user's keychain. They're encrypted with the users' particular passwords!

If you want to set a keychain password different to your login, open Keychain Access, Edit->Change Password for Keychain "login". Then when someone finds out your user password, they still won't have access to your keychain.

Ok. I didn't realize the Keychain password could be changed. Sorry.

 

[Ringtail]

What?? Have you actually done that? From the Apple doc:

That means you can ONLY get to the keychain if you know its password. On the other hand, if you forget the password, you're screwed. By default your login keychain uses the same password as your user account, so it can be unlocked when you login. Otherwise you can turn off 'Synchronise login keychain password' and 'Set login keychain as default'.

Also, 'nearly every saved password' seems to imply you can see login passwords, but you can't. They're stored as a hash of your real one so it's really, really hard to work out what someone's password is.

Actually, there are scripts, that if you run with root privileges, can view all usernames, websites, and passwords you have saved through keychain. So, it is possible, that without the actual keychain password, but with a password to an Administrator account, you can recover your passwords.