Keychain - Security vulnerability?

Discussion in 'macOS' started by superxero3, Feb 17, 2010.

  1. superxero3 macrumors regular

    Joined:
    Oct 15, 2008
    #1
    I noticed that you can use the command "security" in terminal to access keychain access. After some messing around I found this command:

    Code:
    security dump-keychain -d
    This will go through every item in the keychain and dump the information and the password in clear text. Now there is some security, a little pop up will come up asking you to accept, and NOT ask for a password.

    The only way I have found that i can stop this command from dumping my decoded password is using this command:

    Code:
    security lock-keychain
    This will make it so the command will require a password, but there are drawbacks, everytime a program like chrome or skype wants to use my information it prompts me for a password, and when i put it in it unlocks my keychain again! has anyone found this before/know a way to fix this problem??

    btw I'm on 10.5.8, so maybe this isn't an issue in 10.6. I was thinking of taking away execute permissions on /usr/bin/security for everybody except root:
    Code:
    sudo chmod 500 /usr/bin/security
    ...But i don't know if this would cause any problems or programs to not work.
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    From Keychain Access you can view your passwords in plain text as well. You're in your account, which is why you can see them. If you sign in as another user you'll find that you cannot view other user's keychain passwords. There's no security issue here.
     
  3. superxero3 thread starter macrumors regular

    Joined:
    Oct 15, 2008
    #3
    Yeah but in order to actually check "show passwords" it requires your login password, so you need to know that password.

    With terminal you don't need the login password, so someone could just walk up to your computer, dump the passwords without your login password, and they are good to go.
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    Well, that's why you should set your keychain to auto-lock after a specified time, i.e., 20 minutes, and also should lock your machine when stepping away from it if there's other people around you don't necessarily trust. I keep the keychain menu item around so I can easily lock my keychain and lock my screen. The security "issue" you're seeing is only because the keychain is unlocked, which means it's open, so that data is available. With the keychain locked you get prompted for a password before being shown the password data. And as I said, locking is possible through the keychain menu item, Terminal isn't needed.

    To turn on Keychain menu item:
    1. Open Keychain Access
    2. Go to Preferences
    3. On General tab, make sure "Show Status in Menu Bar" is checked
     
  5. pit29 macrumors 6502a

    pit29

    Joined:
    May 23, 2006
    Location:
    The Golden State
    #5
    Where can you do that? Didn't find it, surprisingly...
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    I'm not at my Mac, but from memory,
    Keychain Access > Edit > Change (or Configure) Keychain.

    It's not in the preferences, which is where most people first look.
     
  7. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #7
    It's "Change Settings for Keychain "login"... "

    but close!
     
  8. pit29 macrumors 6502a

    pit29

    Joined:
    May 23, 2006
    Location:
    The Golden State
    #8
    Thanks - I'm almost sure I have seen it sometime, but didn't find it when I was looking for it today. It's well hidden (- id that in line with Apple's guidelines?)

    Anyways. I noticed that if I lock the login keychain, Mail.app always asks me to enter the password and unlocks it again when it checks for mail. That's annoying, and puts me in a dilemma - security or convenience? Though to me it seems that there should be a way to lock the login keychain AND have Mail check for mail automatically...
     
  9. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #9
    That's "the" dilemma when it comes to these things. Convenience usually wins ;-)
     
  10. pit29 macrumors 6502a

    pit29

    Joined:
    May 23, 2006
    Location:
    The Golden State
    #10
    I feel convenience winning, too. Especially if there is no way to have the login keychain locked but the Mail login passwords unlocked.
     
  11. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #11
    One solution, make another keychain (separate from login) and assign the Mail password to it and keep it unlocked, while you let login keychain remain locked.
     

Share This Page