Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mac OS X Stores Passwords As Plain-Text

Punani

Punani

macrumors regular
Original poster
Jun 16, 2004
199
0
Los Angeles
It appears that at least Mac OS X 10.3.X stores passwords in plain-text.

Running this command "sudo strings -8 /var/vm/swapfile0 | grep -A 4 -i longname" Or one of the various other swap files in the directory(e.g. /var/vm/swapfile3) can yield your password in plain-text.

Although I realize that swap files require root access and/or physical access, the swap files are simply "ready to be deleted" when Mac OS X reboots, they are not purged. One could possibly enter single-user mode or boot with the installation disks and check if the passwords are still stored somewhere.

This could render FileVault and Keychain encryption moot.

Found on BugTraq: http://securityfocus.com/archive/1/367116/2004-06-24/2004-06-30/2
 
That's pretty serious! I thought passwords were supposed to go through a hash function so that the real password wouldn't be stored anywhere on the system after it's creation.
 
Yes, the password is hashed, but that's a different part of the process. What is happening here is that the login panel is accepting the plaintext password from the user (which is then hasned and compared against netinfo), but that plaintext version isn't being wiped after it is used. They'll be able to fix this one, but sheesh, someone at Apple must be feeling awfully silly right now.
 
iMeowbot said:
Yes, the password is hashed, but that's a different part of the process. What is happening here is that the login panel is accepting the plaintext password from the user (which is then hasned and compared against netinfo), but that plaintext version isn't being wiped after it is used. They'll be able to fix this one, but sheesh, someone at Apple must be feeling awfully silly right now.
Click to expand...
Ah .. ok ... that also explains why it would be swapped out to disk. The login panel isn't used after login, and (some part of) it isn't released from memory, apparently, so it will eventually be swapped out to disk after some user activity.
 
Yeah, the login window is a daemon, it hangs around as long as the GUI is running.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back