Ugh, the people I work with (I work for a security firm) consider this a "hack" as well. This is expected behavior! How do you expect your passwords to autofill across browsers? It is called the login keychain for a reason. If someone has access to your user account, and your user account has associated web passwords that can be summoned without re-entering your login password, then the logical conclusion is that your web passwords are not safe.
However, Keychain Access is perfectly secure as a dead-simple manual password manager. Just create a new keychain (I call mine "webpasses"), give it a password different than your login password, and manually save your web passwords in that. Yes you have to open Keychain Access every time you want to save (or copy the plaintext of) a password. Yes it's a bitch. But if you save your passwords in the correct format (description=website URL, username=website username) then Chrome and Safari will find it, ask for your "webpasses" keychain password, and autofill, no questions asked. Bonus points because you can save your new keychain in your dropbox and use it across multiple (osx) machines. I store all my credit card numbers in one keychain file, everything is AES encrypted IIRC so it's as good a solution as any as far as "one-password-auth" goes.
[/rant]
(note: I chose this solution because I am paranoid -- er, security conscious. The average user will NOT want to enter a password anytime he/she wants to autofill, and there's really no way to do this in a secure manner)
I don't think it's obvious that Keychain isn't automatically secure within a logged-in user account. Apple makes a big deal about their products being intuitive, "it just works." They really ought to implement the system that Lastpass and other password managers use and allow the user to separately "unlock" Keychain before the passwords autofill.
*Edit: Actually it looks like you can set Keychain to lock automatically after X minutes of inactivity or when the computer sleeps.
Better yet, open "Keychain Access", go to the preferences general tab, and click "Show keychain status in menu bar". Voilà, now you can lock and unlock keychains without switching applications. (This has been around for a long time, too.)
Don't forget, unlike windows, LOCKING a mac is not easy. The only way I know is to use the lock command of Alfred. In windows: Windows + L = lock boom. Because of this, most people in the office leave their macs unsecured.
I guess a bigger question is why don't we use challenge/response authentication for websites? This way, a program like keychain could answer challenges without ever exposing plain-text passwords.
Still, somehow keychain would have to know the passwords, and presumably they would have to be encrypted with the login password of the current user. So it would still be possible for the current user to extract their own passwords. I don't think it is possible to hide passwords on the client side.
The server sends a challenge to the client. The client computes response = f(challenge, password), and sends the response. Then the server compares the response with its own computation of f(challenge, password). Since f is some type of hash function, we can assume that the client knew the actual password, as it would have been too hard computationally to come up with the correct response without it.
In such a scheme, the keychain can do the computation and the password never leaves the keychain. We can even go as far as to have the keychain be separate hardware (eg USB dongle), so the password never even has to exist on the client's computer at all.
I was simply trying to clarify the challenge-response mechanism for the parent poster, not suggesting you use keychain dongles everywhere.
Regardless, the idea that the plaintext password doesn't have to leave the device (whether the device is a dongle, your phone, or the keychain application) is a valuable consequence of the challenge-response mechanism, and I wish support for it were more widespread.
The reason for why it isn't widespread is because you also have to spread it across all your devices. Which is neither secure nor usable enough for the mainstream today.
Unless that is solved it isn't a solution worth considering.
Not worth considering as a 'fits all' solution, yes, but it still is worth considering for specialized cases; in general, those cases where the added inconenience is worth the added security. For example, some banks use effectively this for logging in to your online account. And that can be made to work with any device with a display and a keyboard:
- computer shows challenge#
- user types challenge# on bank supplied device
- bank supplied device shows response
- user types response on computer
On that note, it actually seems like a pretty good place for Apple to sweep in and take some thunder from 1Password et al, by sprucing up the Keychain app and making it something that everyone can sort of use without thinking about it. Just throw around talk of 'sandboxing' and 'secure access', turn it on by default, profit. Then if (by default) you needed an Apple device and iCloud account to login to all your shit... I think you see where this is going.
I don't think Apple will do that: I think that Keychain is like the Reader mode and Reading List in Safari. It has some features that are like those of a third-party service, but because Apple isn't invested in the service for its own sake, the effect is that it raises the bar for third-party services, not that it replaces third-party services.
Well I don't necessarily think it's a good thing... but it seems like just the sort of opportunity awaiting them (and their lawyers, when the antitrust suits eventually come).
Hardly a security flaw. How do you expect Safari/Chrome autofill the same passwords? And after the password is auto-filled any JavaScript can access the input's value attribute.
I use this in my .emacs so Emacs can grab passwords from Keychain, but the same approach would work in bash too:
(defun find-keychain-password (host) ()
(condition-case nil
(let ((passstr (second (split-string (first (process-lines "/usr/bin/security" "find-internet-password" "-gs" host)) ": "))))
(substring passstr 1 (1- (length passstr))))
(error nil)))
I'm inclined to agree. It looks like this is the same "hack" detailed last week, though through a terminal command instead of an application. As we learned last week, by default, OS X is set to never lock the keychain once it is logged in. It's a conscious choice of default set by Apple. If you care about tighter security, just change the autolock time or use separate keychains.
No, last week's was root only, operated by searching through RAM for various keys, and was notable for displaying passwords for every logged-in user, which this will not do.
First of all, if someone has unauthorized physical access to your device, you're pretty hosed. Especially if they happen to have a current logged in session. Forget passwords, they have cookies and mail.app and bookmarks. Second, if you must lend your computer to an untrusted person, use the Guest session. I just tried this and confirmed that there is no immediately obvious way for a person logged in to a guest session to access my keychain.
Knowing this, I will rewrite the opening line to the article.
Original line: "Here’s a reason why you shouldn’t let anyone use your computer."
My revised line: "Here's a reason why you shouldn't let [untrusted persons] use [a non-guest session on] your computer."
What do you mean "Forget passwords, they have cookies..."? Since when is having a cookie better than having the password that can give you the cookie anyway?
Some web sites will require you to login again if your IP address changes, no matter what cookies you have. Additionally, the cookie expires. For these websites, the password is much better.
shadowflit made a good point about two-factor authentication. I would also add that by having cookies (and hence a presumed established session with you bank, email provider, or social network) you bypass one of the steps to get what you presumably want: access. I mean to point out that there is no reason to run this script if you already have physical access to a computer with the target's account logged on. You already have the extra access you need.
I think I had this same problem with Mail.app. I "solved" it by creating a separate keychain that just locks on sleep, but doesn't timeout, and moving my Mail passwords into that keychain. Presumably the same thing would work for iCal.
Just in case anybody else doesn't see the 'login' keychain: the square button with a triangle in the bottom left corner shows and hides an additional list of keychains
I was about 5 minutes in to the docs to set up a quicksilver task to do this - thanks for helping me avoid re-inventing the wheel. Yours was the better 'hack'. ;)
The reason this is strange behaviour is that when you try to access private info from within keychain you have to enter your user password each time. Using this command you just need to click on the allow button.
The keychain only allows applications that you authorize to access a given password, right? So for example, when I upgrade Transmit, it needs to ask for my permission to access the passwords again. Does that give it access to everything or just a specific password / set of passwords?
An application can only read passwords you've specifically allowed it to. When you upgrade Transmit it only gets access to that subset.
If you're curious go to Keychain Access, double click an item and look at the Access Control tab. You can even force password entry there if you want extra security on certain items.
Perhaps, but the Transmit developers could actually even use code signing to get Keychain to recognize multiple versions (new ones, but also alternative builds such as might be distributed by the Mac App Store) as the "same" application (Google "designated requirements"). Either way, though, barring security bugs (including unnecessarily permissive designated requirements being used by other apps), this should only give Transmit access to passwords you've specifically authorized for Transmit. Of course, if Transmit were malicious and one of these passwords happened to be your local login password...
Admittedly I was a bit shocked to see my passwords start pumping out: all I needed to do was click "Allow" and away it went. Why would keychain remain unlocked? Why doesn't that command need sudo? This seems like a pretty decent security flaw to me...
Why would it need sudo? If that were the case, then every web browser and every IM client and everything else on your computer with a password would need sudo.
You're telling your computer to save your passwords and give them back to you later. You shouldn't be surprised when it gives them back to you later.
So, generally each application needs to be authorized separately. I should have to type my password to allow this application to access my passwords. If I can just click "allow" with no password, then so can anyone else trivially with Terminal access.
If I go into Keychain access, and ask to see a password, it prompts for my master password before showing it to me. This should too.
From KeyChain's point of view, this command-line utility, /usr/bin/security, is no different from other GUI applications like Mail.app and Safari.app that relies on KeyChain to supply remembered passwords. If you expect KeyChain to prompt you for your master password when /usr/bin/security asks KeyChain for passwords, then you will be prompted every time Mail.app checks your email.
Actually you can configure KeyChain to do just that: just set the keychain to lock after 0 minutes of inactivity. But there is always the tradeoff between security and convenience. And when you give away physical access and a logged-in session away to a malicious user, offering protection will require a lot of inconvenience.
Is this sarcasm? You clicked "Allow"; what would you expect of an application to which you granted access to your keychain, other than for that application to thereby gain access to your keychain?
Why is someone who is not you logged in using your account with the ability to click that button in the first place?
Layering security on the user account after login tends to annoy the hell out of people. Ask any users you know what they think of Windows 7/Vista's UAC.
I agree with your first sentence. I sort of agree with the people saying this behaviour is by design and is not a serious security flaw.
> Layering security on the user account after login tends to annoy the hell out of people. Ask any users you know what they think of Windows 7/Vista's UAC.
But this isn't another OS. This is OS X, which is built on BSD, and BSD is a secure OS. Another question to ask would be "Ask any users you know what they think of sudo".
I like the article. It's not sensationalist. It's not dramatic. It's just saying "Hey, do this! Surprised? This is why you need to be careful with your account and your password."
That seems reasonable to me. Many people Using OS X are not from a Unix background. They have never used a BSD before. They don't really have the security stuff ingrained.
Gentle reminders from time to time are a good thing.
Your login Keychain is usually unlocked - it's encrypted with a key derived from your password that's held in memory from when you log in.
You can lock your login Keychain (or any other) from Keychain Acccess (/Applications/Utilities) or from the security menu bar item (if you have it added) and you'll be asked for the password rather than asked to "allow" it.
While it is shocking to see your passwords scroll by in plaintext, a careful consideration of how to fix the problem, one realizes that the offered solution really isn't good enough. Many applications require your passwords in order to run, and the Keychain is the way OSX apps get those passwords.
After a little thought, there are two solutions. First, and best, is to log out, and let your guest use a guest account. Or second, watch over the persons shoulder (which is probably a good idea anyway for the security conscious.)
But, personally my biggest concern is that it highlights how trivial it is for locally installed software to access my other passwords! It means that all of my passwords are only as protected as my least-trusted local app. And I have to say, my least trusted app is pretty untrusted. The only saving grace is that OSX asks me if I want to allow an app to access that password.
Alternatively, it might be worthwhile to switch from using Keychain to using pass, a far better and simpler alternative:
http://zx2c4.com/projects/password-store
Perhaps, but assuming you use the pasteboard feature, this appears to have the same weaknesses as Keychain, and then some. Two come immediately to mind:
I. OS X Screen Sharing, Microsoft's Remote Desktop Connection, and many other remote access clients enable pasteboard sharing with remote hosts by default.
II. Less importantly, any well-known executable taking account identifying information on the command line and storing the account's password in the pasteboard gives local root users an easy way to obtain passwords upon use, with only public, documented APIs:
1. Set dtrace probes on syscall::exec*:entry to fire whenever pass runs.
2. For each such run, save the arguments to pass (obtained in dtrace with copyinstr) and the pasteboard's contents[1], then poll the pasteboard for the next few seconds, and if it changes, save the new contents as well. Depending on the timing, I assume one or the other will be the password for the account described by the arguments to pass.
Finally, I'm not sure what the problem with Keychain here is supposed to be in the first place: after clicking "deny" about 1,000 times, the only passwords the suggested command
revealed on my systems were the blank ones, and my login keychain is not "locked". So I guess this means blank AFP and SMB passwords shouldn't be relied upon to provide meaningful security?
[1] To access the pasteboard server, your "snooping agent" must run in the target user session's Mach bootstrap namespace. Running as root, this is easy:
should do the trick, where PID is the UNIX process ID of the appropriate loginwindow process (under normal circumstances this will be the only loginwindow with the target's EUID).
> I. OS X Screen Sharing, Microsoft's Remote Desktop Connection, and many other remote access clients enable pasteboard sharing with remote hosts by default.
Don't use -c then. Inherent weakness of clipboard.
> II. While I wouldn't personally consider it a "real" security problem, any well-known executable taking account identifying information on the command line and storing the account's password in the pasteboard gives local root users an easy way to obtain passwords upon use, with only public, documented APIs:
This is ridiculous. Of course, if someone has root access they can do whatever they want.
Your technical comments are a bit overblown. If you're root, just replace the executable with a program that pilfers off the passwords. Easy as pie. But sure, you can also dtrace, or load a kernel module, or ... anything?
Not to mention, if you're root, you can just listen to keystrokes, or monitor browser logins, or sniff input fields, or take memory dumps of the whole system, or ... um... anything?
No FUD intended. Given the option, when the alternative is manual entry, many people will use the pasteboard, security be damned. In other words, convenience can be an important part of security.
As for root, while I completely agree, I guess I just prefer concrete examples. Even when running as root, one can never do "anything" for free, and costs are always important to security. Writing a dtrace script is much easier than reverse engineering...well, pretty much anything.
But I'm honestly more interested in how you feel your solution improves upon Keychain's security.
it appears that this is self-promotion, but that's a nice-looking tool. it does look a little disruptive to my workflow (I suggest doing a screencast demonstrating some real world scenarios like periodically checking ical or gmail). and also, unique, not widely used (and not widely audited) security software seems like taking a pretty big risk. not really sure what you can do about that, since it's kind of a chicken and egg problem. but open sourcing it would help get the ball rolling.
If access for assistive devices has been enabled, you can use UI scripting to click the allow buttons:
security find-generic-password -l AppleID -w & sleep 1; osascript -e 'tell app "System Events" to click button 2 of group 1 of window 1 of process "SecurityAgent"'
I run as a non-admin user on Mountain Lion (stops the kids messing stuff up) and it sometimes has unexpected benefits - like in this case, when I run security dump-keychain -d ~/Library/Keychains/login.keychain in terminal the output is most definitely not plain text even after I press 'Allow' - see http://pastebin.com/TH63R9sM for a sample
You should probably delete that, I'm thinking that that's a private key. It's not a 'password' but it's still a secret, and you just pastebin'ed it for everyone.
But I'm just guessing -- I don't know too well what a private key would look like in this format.
Apple provides an easy way to lock your desktop when you go for coffee. To set it up:
1. Launch "Keychain Access".
2. Open Preferences from the "Keychain Access" menu
3. Check the option labeled "Show keychain status in menu bar"
4. (optional) While holding the cmd-key, click and drag the menu item over to the far right of the menu bar for easy access.
Locking the keychain works until you unlock it from another app. If you enter your keychain password for Mail app or for a web password it becomes unlocked for the terminal command. Which is unexpected behavior as from within keychain, even if it is unlocked, you must reenter your password if you want to see a saved password.
Keychain uses AES256 so it's about as reasonably secure of a single-password solution as you can get (given you use it correctly). I would assume 1Password is equivalently secure.
The choice of encryption algorithm only lets us point out which systems are broken, not which ones are secure. A secure system could never use ROT13, but a broken system could definitely use AES256.
Keychain Access and the general security model is poor.
There should be a way for web passwords that are saved from a browser to be restricted for use from a set of authorized browsers only, without also allowing any random program from just grabbing the plaintext.
From what I observe using this system, once you lock the entire keychain, then you have to unlock and relock it everytime you use a web password, or if you forget to relock, after authorizing one time access from the browser popup, it unlocks the whole keychain for the entire system. Unlocking my throwaway yahoo junk mail account in Safari should not also unlock the password to my banking account across the whole system.
This is not the best design and those who say "works as designed", in my opinion, are suffering from myopic tunnel vision where they assume a current design is the only possible design.
2) Select a keychain item (a password) and double-click it.
3) Click on the Access Control tab. You can choose which applications can access that particular password.
I think there's also a group system, and there's a group called "InternetAccounts", but most of the passwords I see have an access list (which I haven't modified) that only includes one application, usually Safari or Mail, but I also see "NetAuth" and "NetAuthSysAgent" for passwords I use for file sharing.
You can also make it so keychain access requires you to type the keychain password in every time a particular password is accessed, and you can also put passwords in separate keychains that use different passwords.
I am aware of that. Let's look at Mail passwords - Mail is the App with designated access on that pane.
Now, if the entire Keychain is unlocked, Mail can access it when I check email. If the entire Keychain is locked, it asks for permission to use it. If I give permission, the entire Keychain is unlocked and left unlocked. It's not only access to Mail that is granted when Mail asks for validation. The entire keychain is unlocked.
Some claim to just keep their Keychain locked. People who say they keep theirs locked all the time, do they really give a password every single time they check their mail during the day, and then immediately afterwards open Keychain Access and relock it? That's the workflow required to keep the Keychain locked. Perhaps it works OK if one uses another computer for email and internet use. If one uses email and site logins on their Mac, one either has to retype their password every single time, and every single time go open Keychain and relock it, or they are sitting with the whole Keychain unlocked.
The command discussed is an easy way to pull passwords off of people's Macs. All you need is to wait for a few moments while they are distracted. This is a flaw. All passwords stored on the system should not be available for a passerby to examine without validation. Validation is only required if one is willing to unlock and relock the Keychain constantly, after every email check and site login.
It sounds like you really haven't explored how to use Keychain access -- including some of its most basic features like ACL configuration and multiple keychains.
1) Relocking the keychain can be done through the menu bar, if you enable the keychain menu item. You don't have to open Keychain access. When I let someone else sit down at my account for a moment, I lock the keychain. This is not a very difficult "workflow". This same menu gives you a "lock screen" item.
2) If you want to unlock and lock things with finer granularity, you can put those things in different keychains. For example, put your mail password in its own keychain. When you unlock that keychain, nothing else gets unlocked.
3) If you want to make it so new applications require typing in your password before accessing a password (rather than just confirming with a yes/no dialog box) you can check the box in the password ACLs. It's a bit of a bummer that there's no global setting for this.
I think we have to weigh this against all the other bad things that someone could do when given access to your account. If the keychain containing your email password is unlocked it's basically game over, since there's so much damage they could do with your email account, and it doesn't even require getting the password.
The fact that a Keychain is unlocked still only gives designated programs access to passwords and /usr/bin/security is no exception. The command from the article results in about a thousand "always allow/allow/deny" dialog boxes on my system, and there's an option for each password in Keychain to require a password to "allow" (from Get Info > Access Control, then set Confirm before allowing access and Ask for Keychain password, and clear the "Always allow access" list; admittedly, this would be a huge PITA for lots of passwords). Alternatively, if you want to "lock" every password but Mail's in one stroke, you don't need another computer: just create another Keychain with nothing but your Mail passwords, select it as the login keychain, and set the original keychain to "Lock after 0 minutes of inactivity."
In Firefox and Chrome you can see all web passwords in plain text. It used to be the same in Safari but apparently not anymore. And that's when they don't leave their webmail logged in, which a lot of people do and they lend you their computer like nothing happened. This is often a master key to somebody's privacy, usually more critical than the kind of stuff have in their keychain most often (WLAN passwords and the like).
People around me are not the most security conscious, or they just know they can trust me.
I guess there's also the cultural bias to allow people "check their email" and stuff like that.
My keychain is always locked, I don't save sensitive web passwords in browsers, and I still don't let people use my computer unsupervised.
A nice visible reason why the Rails/Node/OSX FOSS community really need to stop doing the following sort of thing for their installations (seen most recently on yeoman.io, but common to get.pow.cx, npm...)::
curl get.totallytrustworthyapp.io | bash
The above examples are obviously legit, but encouraging this kind of lazy access to even local privileges from arbitrary remote scripts (and Yeoman even asks for sudo in a super-friendly way), is the modern equivalent of padlock.gif on your payment page - training poor security practices.
Or maybe, just maybe, you should never let random people use your computer under your account. Create an account for randoms, switch users before loaning them the keyboard.
I ran this command and for at least the first 10 items, I was prompted by a GUI dialog to allow the export of the keychain item. (I have close to 2,000 items in my keychain, so it is a small sample.)
I think that this is more of a lesson to:
1) Have reason able auto locking time outs setup via the Keychain and Screen Saver
2) when Keychain Access prompts you to access info that you should normally click "Allow" and not "Always Allow".
However, Keychain Access is perfectly secure as a dead-simple manual password manager. Just create a new keychain (I call mine "webpasses"), give it a password different than your login password, and manually save your web passwords in that. Yes you have to open Keychain Access every time you want to save (or copy the plaintext of) a password. Yes it's a bitch. But if you save your passwords in the correct format (description=website URL, username=website username) then Chrome and Safari will find it, ask for your "webpasses" keychain password, and autofill, no questions asked. Bonus points because you can save your new keychain in your dropbox and use it across multiple (osx) machines. I store all my credit card numbers in one keychain file, everything is AES encrypted IIRC so it's as good a solution as any as far as "one-password-auth" goes.
[/rant]
(note: I chose this solution because I am paranoid -- er, security conscious. The average user will NOT want to enter a password anytime he/she wants to autofill, and there's really no way to do this in a secure manner)
EDIT: grammar