experchange > mac.misc

Tom Evans (11-08-18, 07:59 AM)
Is Keychain or any other program safe for storing passcodes on a desktop Mac?

Tony
Calum (11-08-18, 02:31 PM)
On 08/11/2018 05:59, Tom Evans wrote:
> Is Keychain or any other program safe for storing passcodes on a desktop
> Mac?


Depends on what you mean by "safe". If nobody else has physical access
to that desktop Mac, it's very safe indeed, especially if you don't sync
the keychain via iCloud to any other Mac. But there have been occasional
bugs:
<https://motherboard.vice.com/en_us/article/pak37n/macos-keychain-theft-issue-shows-you-cant-just-trust-apple-to-keep-you-secure>

If you do sync, and you have two-factor authentication enabled on your
Apple account, then your keychain is transmitted and stored in iCloud
with end-to-end encryption, using keys derived from information unique
to your device. So it's still very safe, but with the additional tiny
risk that the encryption could somehow be buggy and crackable, and that
a hacker then chose to breach your Apple account out of the hundreds of
millions they could have chosen.

If anyone else has physical access to the Mac, it's as safe as your user
account password, and not even that safe if your screensaver doesn't
lock your screen. You do have the option to set up a separate keychain
password, which can help a bit... but in general, once someone has
physical access to a machine, all security bets are off.
Jolly Roger (11-08-18, 05:59 PM)
On 2018-11-08, Tom Evans <tomevans9890> wrote:
> Is Keychain or any other program safe for storing passcodes on a desktop Mac?


Very.

Keychain is a securely encrypted password manager that is built into
Apple operating systems including macOS and iOS. The information in the
keychain is encrypted and stored in an SQLite database on the file
system.

Keychain can contain various types of data including:

* passwords (for websites, FTP servers, SSH accounts, network shares,
* wireless networks, groupware applications, encrypted disk images),
* credit card details,
* private keys,
* certificates, and
* secure notes

Apple and third-party applications can offer to remember and store
passwords, credit card details, and so on in Keychain so that the user
does not have to type them again upon subsequent logins. For instance,
the Apple Mail application stores your mail account passwords in
Keychain so that you do not need to enter them each time you check
email. The Safari web browser stores login credentials to websites in
Keychain so that the next time you connect to a web site, the
credentials will be entered for you. Third-party apps in macOS and iOS
also routinely store sensitive login credentials and other details in
Keychain for safe keeping.

iCloud Keychain is just an extension to the Keychain facility that
securely and seamlessly synchronizes your Keychain to all of your Apple
devices so that a piece of information remembered on one device will
automatically be available all of your other devices. So a password
remembered one device will automatically be on all of your other
devices, which means you don’t need to enter it on your other devices.

<https://support.apple.com/en-us/HT204085>

Apple has gone to great lengths to protect the data stored in Keychain
on your devices.

<https://tidbits.com/2014/03/01/how-to-protect-your-icloud-keychain-from-the-nsa/>

The iOS Security Guide white paper provides a lot of technical detail if
you’re interested.

<https://www.apple.com/business/docs/iOS_Security_Guide.pdf>

As with many of Apple’s secure facilities, any new device attempting to
read Keychain information requires one of:

* verification from an existing registered device through a push
* notification with manual acceptance your iCloud Security Code an SMS
* verification to your registered phone number

To enhance security, you can also protect your iCloud / Apple ID account
with two-factor authentication, which causes push notifications to all
registered devices and corresponding email messages anytime your
password is used on a new device.

<https://support.apple.com/en-us/HT204915>

I highly recommending iCloud Keychain, because it is very secure and
greatly increases your productivity.
Chris Ridd (11-08-18, 08:47 PM)
On 08/11/2018 15:59, Jolly Roger wrote:
> On 2018-11-08, Tom Evans <tomevans9890> wrote:
> Very.
> Keychain is a securely encrypted password manager that is built into
> Apple operating systems including macOS and iOS. The information in the
> keychain is encrypted and stored in an SQLite database on the file
> system.


Passwords in local keychains on Macs are only protected with 3DES, which
is an extremely weak cipher.

<https://web.archive.org/web/20110410065128/https://images.apple.com/macosx/security/docs/MacOSX_Security_TB.pdf>

I would suggest *not* using the macOS keychain for passcodes that I
cared about. Personally I use 1Password; other secure password managers
are available.

<https://support.1password.com/opvault-overview/>
Your Name (11-08-18, 09:10 PM)
On 2018-11-08 18:47:14 +0000, Chris Ridd said:

> On 08/11/2018 15:59, Jolly Roger wrote:
> Passwords in local keychains on Macs are only protected with 3DES,
> which is an extremely weak cipher.
> <https://web.archive.org/web/20110410065128/https://images.apple.com/macosx/security/docs/MacOSX_Security_TB.pdf>


Not quite true. They are also protected by your user and admin
passwords (assuming you set the machine to lock when not used and not
automatically log on when botting), and can be further protected by a
firmware password and encrypting the drive (if you forget the drive
encryption password, you're screwed though!).

> I would suggest *not* using the macOS keychain for passcodes that I
> cared about. Personally I use 1Password; other secure password managers
> are available.
> <https://support.1password.com/opvault-overview/>


Like Adobe, 1Password has now stupidly gone down the subscription
route, so you now have to pay a monthly fee, rather than buying a
license. :-(
nospam (11-08-18, 09:22 PM)
In article <ps21ma$ptc$1>, Your Name
<YourName> wrote:

> Not quite true. They are also protected by your user and admin
> passwords (assuming you set the machine to lock when not used and not
> automatically log on when botting), and can be further protected by a
> firmware password


none of that matters.

> and encrypting the drive (if you forget the drive
> encryption password, you're screwed though!).


that part does.

> Like Adobe, 1Password has now stupidly gone down the subscription
> route, so you now have to pay a monthly fee, rather than buying a
> license. :-(


nope.

1password exists in *both* a subscription or purchase option. the user
can choose whichever works best for their needs.
Chris Ridd (11-08-18, 09:30 PM)
On 08/11/2018 19:10, Your Name wrote:
> On 2018-11-08 18:47:14 +0000, Chris Ridd said:
> Not quite true. They are also protected by your user and admin passwords
> (assuming you set the machine to lock when not used and not
> automatically log on when botting), and can be further protected by a
> firmware password and encrypting the drive (if you forget the drive
> encryption password, you're screwed though!).


It is common practice to assume the worst case scenario where the
attacker is able to get a copy of the (keychain) file.

> Like Adobe, 1Password has now stupidly gone down the subscription route,
> so you now have to pay a monthly fee, rather than buying a license.  :-(


It seems to have been a *very* successful strategy for Adobe.

However 1Password still sell full licenses. I got one for my Macs.
Jolly Roger (11-08-18, 10:22 PM)
On 2018-11-08, Chris Ridd <chrisridd> wrote:
> On 08/11/2018 15:59, Jolly Roger wrote:
> Passwords in local keychains on Macs are only protected with 3DES, which
> is an extremely weak cipher.


Meh. That requires that someone have login access to your user account.
And it's also made irrelevant for many of us who use the built-in
FileVault whole-disk encryption facility built into macOS.

> I would suggest *not* using the macOS keychain for passcodes


I recommend all Mac users secure their data with FileVault, a firmware
password, and Find My Mac. Good luck even getting access to my keychain
data.

> Personally I use 1Password; other secure password managers are
> available.


Been there, done that. No thanks.
Tom Evans (11-08-18, 11:51 PM)
Thanks, Callum.

The reason I asked if Keychain is safe is because a robber tried
(unsuccessfully) to steal $1,700 from one of my credit cards by calling
my bank and impersonating me yesterday. The bank employee I spoke with
after the bank alerted me said that the thief knew my security
questions that were asked of him.

I thought maybe the thief was able to hack into my Mac and find my bank
information there. (I have my user names and passcodes stored on my
Mac, but in a text program and not in Keychain.)

My credit card account online showed that $1,700 was added to my credit
card debt yesterday, but a bank employee flagged the transaction as
suspicious and the bank then reinstated that money to my account and a
bank employee phoned me and left a message in my voice mail, asking me
to phone the bank immediately to ask me about this issue.

The bank deactivated both of my credit cards and both of my debit cards
yesterday, so I'm getting replacement cards, but the process is
troublesome. I want to try to figure out how the breach migh have
happened, so I can prevent another attack.

I called Apple and two technicians on the phone said it's safe (from
hackers) to store sensitive info on the Mac even in a text program, and
that I don't need an anti-virus program.

Tom

On 2018-11-08 12:31:56 +0000, Calum said:
[..]
nospam (11-09-18, 12:10 AM)
In article <2018110813514766717-tomevans9890>, Tom Evans
<tomevans9890> wrote:

> The reason I asked if Keychain is safe is because a robber tried
> (unsuccessfully) to steal $1,700 from one of my credit cards by calling
> my bank and impersonating me yesterday. The bank employee I spoke with
> after the bank alerted me said that the thief knew my security
> questions that were asked of him.


likely because you gave real answers to the insecurity questions.

most of those are public information, such as what was your first car,
or can be easily determined with a bit of digging, such as what street
you grew up on or who was your 1st grade teacher.

or the information was compromised in another breach.

> I thought maybe the thief was able to hack into my Mac and find my bank
> information there. (I have my user names and passcodes stored on my
> Mac, but in a text program and not in Keychain.)


that's *not* a good idea.

> I called Apple and two technicians on the phone said it's safe (from
> hackers) to store sensitive info on the Mac even in a text program, and
> that I don't need an anti-virus program.


anti-virus apps won't stop a password cracker. all they need is a copy
of your text file...
Your Name (11-09-18, 04:29 AM)
On 2018-11-08 19:30:44 +0000, Chris Ridd said:
> On 08/11/2018 19:10, Your Name wrote:
> It is common practice to assume the worst case scenario where the
> attacker is able to get a copy of the (keychain) file.
> It seems to have been a *very* successful strategy for Adobe.


Mainly because there's not a lot of other choice for professional
users. Quite a few of the non-professional users have already jumped
ship to other products which although less powerful, mostly suit their
needs.

> However 1Password still sell full licenses. I got one for my Macs.


Only if you already have the previous version bought under a license.
New buyers are forced into the subscription model.
Your Name (11-09-18, 04:36 AM)
On 2018-11-08 21:51:47 +0000, Tom Evans said:

> Thanks, Callum.
> The reason I asked if Keychain is safe is because a robber tried
> (unsuccessfully) to steal $1,700 from one of my credit cards by calling
> my bank and impersonating me yesterday. The bank employee I spoke with
> after the bank alerted me said that the thief knew my security
> questions that were asked of him.


The bank's "security" questions are often useless crap. Things like
mother's maiden name, place of birth, etc. Things that any determined
person could find out in various ways. In many countries you can get
such details from the Births, Detahs, and Marriages department of the
government without even needing to show proof of who you are!!

> I thought maybe the thief was able to hack into my Mac and find my bank
> information there. (I have my user names and passcodes stored on my
> Mac, but in a text program and not in Keychain.)


Immensely unlikely. Far more likely would be that you may possibly have
used a link in a scam email and entered your details yourself on their
scam website.

[..]
> I called Apple and two technicians on the phone said it's safe (from
> hackers) to store sensitive info on the Mac even in a text program, and
> that I don't need an anti-virus program.


Yep. You're more likely to win the top prize in every lottery draw for
a year rather than get malware on a Mac. The exception is if you do
stupid things like visit porn or pirate software / movie / music sites,
and especially if you install pirated software

BUT, the weak point is the user ... you do have to careful about things
like scam emails that may look legit, but take you to faked websites to
enter your details. Best bet is to never go to your online banking via
an email link.
nospam (11-09-18, 04:52 AM)
In article <ps2re1$af$1>, Your Name
<YourName> wrote:

> > However 1Password still sell full licenses. I got one for my Macs.

> Only if you already have the previous version bought under a license.
> New buyers are forced into the subscription model.


wrong.
Tom Evans (11-09-18, 06:00 AM)
On 2018-11-09 02:36:39 +0000, Your Name said:

[..]
> a year rather than get malware on a Mac. The exception is if you do
> stupid things like visit porn or pirate software / movie / music sites,
> and especially if you install pirated software


I have looked at some sites that show short, free movies.

> BUT, the weak point is the user ... you do have to careful about things
> like scam emails that may look legit, but take you to faked websites to
> enter your details. Best bet is to never go to your online banking via
> an email link.


I may have recently pressed the "Unsubscribe" button recently on an
email from what I thought was from my bank. (I can't remember if I did
that.) After that, on the resultig page (if I clicked on the link),
the most data that I might have entered was my email address to try to
unsubscribe.

How can I determine if I have malware?

Tom
nospam (11-09-18, 06:18 AM)
In article <2018110820004159341-tomevans9890>, Tom Evans
<tomevans9890> wrote:

> I may have recently pressed the "Unsubscribe" button recently on an
> email from what I thought was from my bank. (I can't remember if I did
> that.) After that, on the resultig page (if I clicked on the link),
> the most data that I might have entered was my email address to try to
> unsubscribe.
> How can I determine if I have malware?


you more than likely don't, however, if that link was a phish, then
you've been pwned.

Similar Threads