Password management on the Mac

Dekatophil

Dekatophil

Registered
There are a couple of password manager out there for the Mac (e.g. Password Wallet, ForgotIt? etc.). Why would I want to use one of those over the built-in KeyChain?
Please let me know your thoughts/experiences.
 
I just use MSWord for my password file and use a password to protect that.
 
With the built in Keychain, someone could gain access easily if they know OS X. Having a password protected file to store passwords in would be a lot harder to open.
 
What exactly makes KeyChain less secure ?
Also, I've heard the recommandation to just store a text file on an encrypted Disk Image.
 
So, bobw, how do you protect an MSWord document? The built-in password in the .doc format is not at all secure and can be broken with a number of shareware utilites widely available.
The Keychain, on the other hand, has very strong encryption and neatly integrates into the operating environment.
I keep a copy of my KeyChain files on a flash disk, as well as a CD backup in a safe place.
I know that I could not gain access "easily" to a locked KeyChain without the password. Nor could I "easily" break into an AES-128 encrypted disk image. I'd suspect these would take some rather heavier tools to break this kind of encryption. I don't doubt that intelligence or computer forensics departments would have these capabilities, though.
 
Anything can be hacked. I keep all my passwords in a locked MS doc with an obsecure name.
 
A couple of things can be easily done here...

1. Make a password protected disk image in Disk Utility and store your file in there. I've never tried this, but other members here say it works very well, and M$ Windows operating systems have no provision to mount files as disks, so your average high school script kiddie is not going to be able to do much with the file once he gets it.

2. Put all your files in a plain old TextEdit RTF document. A typical name for your file will be X1J5H9ZP.rtf. You can change the extension to anything you want X1J5H9ZP.js. Now, put this file in a folder and put the folder where ever you want. Go download RBrowserLite from http://www.versiontracker.com/macosx/ and install it. RBrowserLite is an FTP transfer utility AND a file browser. RBrowser will let you edit the file names of any file. Go into that folder where you placed your file and put a "." at the beginning of the name .X1J5H9ZP.js and the file will be invisible to the Finder. Now put a dot in the beginning of the name of that very same folder. Now both the folder and file are completely invisible to the Finder. With Mac OS X 10.1.5 which I'm running, Sherlock can find the file because I can provide its cryptic name, but it is "inaccessable" because it's flagged as invisible. To open and view the file, just remove the dot in front of the filename and replace the extension .js with .rtf.

It may be a lot of work, but I don't like keeping my valuable information in some unknown third party shareware utility format that no other program can read. What happens if Apple updates the OS and the program is broken? Your data is safe alright, even from you! I always keep my data in a standard format and then do something to the file.

3. You can always put the password file in a ZIP or Stuffit file and name the file something just as cryptic as xV5h7mN.qpz. Just remember to change the extension .qpz to .zip or .sit as is appropriate.
 
Originally posted by bobw
With the built in Keychain, someone could gain access easily if they know OS X. Having a password protected file to store passwords in would be a lot harder to open.
Click to expand...

no not really!
all data the keycahin holds is encrypted.
the thing is that your keychain is locked all the time. but when u login, macosx unlocks ur keychain automatically.

for others to access ur keycahin they need to gain access to your account, basically.
note that you could explictly state whether to stop automatically unlocking ur keychain at login.

This app was designed to be used for storing passwords. If you want to encrypt files, etc... Create an encrypted disk image and store those files there!
 
Originally posted by chemistry_geek
2. Put all your files in a plain old TextEdit RTF document...
Click to expand...
Hmmm... This sounds dicey since you are NOT encrypting the file at all. ("Security through obscurity" really is NO security at all.)

Also it does not sound like you made any effort to ensure that the unix file/folder permissions are locked down. It takes absolutely NO effort to "see" dot files from the command line.

If you are not going to encrypt the thing, I'd suggest in the very least making this file/folder readable ONLY by root... Also you really ought to keep this file on a removable drive/partition and NOT keep it regularly mounted... and before it is mounted make sure your firewall is on and all sharing is off.

Originally posted by chemistry_geek
... don't like keeping my valuable information in some unknown third party shareware utility...
Click to expand...
I don't like paying some third party for fire insurance for my house , but I'd be crazy not to.
 
Why don't just keep your password into your memory???
There is no neurons availables to store a couple of password??
Don't you manage to remember 30 words related with 30 access (I think 30 is enough!)????
Why people like to complicate things so simple???
Why people like to look for ways to forget the use of the brain???
 
Memory?!? You mean wetware?

Man, that's the most volitle and least secure of all!

;)

Besides, I'm one of those old 512k (not MB) machines... Every new peice of data to be stored requires offloading something already there...
 
Originally posted by SpotWhite

Don't you manage to remember 30 words related with 30 access (I think 30 is enough!)????
Why people like to complicate things so simple???
Why people like to look for ways to forget the use of the brain???
Click to expand...

You don't use real words do you!?! Those are the easiest to crack, a simple dictionary attack will eat your lunch. If you can remember it - it is not a good password ;). Line noise all the way!

Way back in 1990 I took a CS course where they issued us accounts on the university's Apollo machines. After the first week the professor came in and wrote something like this on the board

Code: 
*BigDog*   Jenny
2Hot4U  armadillo
way2cool  fghjkl
a dozen similar ones

He then said if you see your password up here you need to change it following the university's password rules. He said that they had use the big Apollo DN10000 to crack our passwords the night before and there was about a 70% failure rate. For some perspective my PalmPilot has more horse power than the old DN10000 did.

-Eric
 
Originally posted by wiz
no not really!
all data the keycahin holds is encrypted.
the thing is that your keychain is locked all the time. but when u login, macosx unlocks ur keychain automatically.

for others to access ur keycahin they need to gain access to your account, basically.
note that you could explictly state whether to stop automatically unlocking ur keychain at login.

This app was designed to be used for storing passwords. If you want to encrypt files, etc... Create an encrypted disk image and store those files there!
Click to expand...

And if you're really paranoid (can be a good thing ;)) you can use Keychain Access to set your Keychain to relock itself every so many minutes and/or when your computer goes to sleep so even if someone gets physical access to your computer with you logged in they won't be able to use any of your automatically-entering passwords (like for Mail) unless they know your account password. (Keep that one safe in your brain and not written down anywhere, of course.)

You can also use Keychain Access to put a lock icon in the OS X menubar so that you know at all times whether your keychain is locked or not. You can also use the menubar icon to immediately lock your screen without having to mess with passwords for your screen saver and hot corners.

Keychain Access app is an awesome way to store passwords. Just create a "Note" when you want to store a new password and it will encrypt and protect the note. Only down-side: someone with physical access to your computer might not be able to find out what your passwords are, but they could get into Keychain Access (if you left yourself logged in) and delete all your records of your passwords. Don't think that's too much of a hazard though, and they still wouldn't know what your passwords were.
 
So i wanna start this topic up again. I have a text file full of usernames/passwords and i'm thinking i need a program. Searchable or at least organized. Any suggestions? Keychain sounds good, but anyone can just double click on it an open it. Right? I was also thinking of just getting info on the text file and changing the permissions, but that should be just as 'undoable'.

Suggestions Please. :)

Thanks
Thomas
 
Anyone can doubleclick on it and open it if they know the password you locked it up with. If not it is encrypted with AES and as secure as the NSA will let you have. I can simply boot you mac into single user mode ad read you text file regardless of the permissions.

Keychain is really a cool app and it does exactly what you want you just need to lear how to use it properly.
 
PGP? OK so its obvious that you are trying to keep something secret, but you can make a heavily encrypted file with it and the basic version is free.
 
Doesnt including a hyphen in your password make it a hell of a lot more difficult for a password-hacking program to guess? For instance 'yellow-box' because the combinations are basically infinite? Although I'm sure in the near future this will be worked around, and using things like 'federal-express' or common combinations probably isnt that smart....
I just read this somewhere, wondered if it was true - going to put my G4 'out there' soon...
 
You must log in or register to reply here.
Back
Top