You are saying because it is sent unencrypted over the Internet, that's perfect reason not to encrypt the URL locally?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Older Versions of Safari Store Login Info in Plain Text
- Thread starter MacRumors
- Start date
- Sort by reaction score
As others have pointed out, you can't just take passwords from the Keychain even with the user logged in. It's much more difficult than what you're imagining. I'll refer you to this article: http://bit.ly/JA0fhQ.
But returning to your original comment, you're suggesting that the encrypted Keychain is just as insecure as Safari storing your passwords in plain text. That's simply not true. To steal passwords stored in plain text, I can use any method that gives me access to your hard drive - no password required at all.
You, however, are arguing that if I'm currently logged into my account, then you can access my Keychain passwords. Let's pretend that's true for a moment. If someone gets access to your computer while it's logged in, of course you can't count on the security features; that's really a no brainer. Instead of trying to read your Keychain, an attacker can just open a browser and navigate to any site that keeps you logged in or autofills your password. Why steal the keys when the vault is already open?
But assuming you practice good information security, you would obviously logout or lock your computer before leaving it unattended. Then an attacker may still be able to read anything stored in plain text, but they would have no practical way of accessing your Keychain. It's not "open" in any sense as you suggested.
Geezus people love to bash on Apple. The file is a secret hiidden file in the OS X filesystem and cannot be easily accessed by anyone or any application. There is no security issue here. None whatsoever. And yes, I do security consulting for a living so I do understand real threats.
You're obviously a security consultant:
- promoting security through obscurity
- stating that a file in ~/Library is "secret" and cannot be easily accessed
I've been a computer forensic examiner for over 8 years and work with government agencies around the world. Fairly certain I know what I'm talking about. There are plenty of tools for ripping all your Keychain info along with all kinds of other fun stuff.
In the locked state, not myself though I could hit it with rainbow tables. Agencies like the FBI and CIA have setups that can crack it fairly easily.
I can't tell if you're trolling anymore. But in case you're being serious, that's the most ridiculous response I've seen recently.
First you say that the Keychain is open for everyone to see. Now you say you can't decrypt the Keychain yourself, but those evil government agencies sure can. And by appealing to your supposed credentials instead of making an actual argument, you've shown you have no idea what you're talking about.
And FYI, I've been a "forensic examiner" for 80 years, therefore my words carry 10 times more authority than yours.
Buy a new Mac. By default when creating an account, the user isn't prompted to provide their password at startup. Once logged in, the default state of the Keychain is open. Boom, all your passwords are open for the picking. Programs like MacLockPick 3 can easily pull all those passwords, email history, chat history, address book content, web browser history, iPhone content, and more.