Protect your Mac from a password-revealing security flaw

KeychainAccessIconXA security issue exists in OS X where if you are logged into your Mac, any individual may sit down at your system and gain access to the passwords in your keychain.

When you save passwords to your keychain in OS X, your Mac will automatically allow access to them for specific services, such as Mail for logging into your e-mail accounts. However, other services that access them will be required to authenticate before they have access to the password, especially those that will reveal your password in plain text.

For example, if you open Keychain Access, you can open any keychain entry and check the box next to “Show Password,” or you can right-click the entry and choose “Copy Password to Clipboard” to get the password for the specific keychain entry. However, in doing so you will first need to authenticate to allow this exception and provide access to the password.

This is even true with keychains that are unlocked by default, such as the login keychain. While unlocking allows specific authorized programs to access keychain entries for which they are granted access, it should not allow them to access others without specific intervention from you, the user, and should not reveal any password without you authenticating first.

Despite this, passwords in any Mac’s keychain can be revealed without authenticating if you sit down at any Mac with an unlocked keychain (i.e., any that is logged in) and run the following command in the OS X Terminal utility:

security dump-keychain -d

When done, the system will repeatedly prompt you to allow access to the keychain entry, and by clicking “Allow” you will see the keychain’s data dumped to the Terminal window. Following this you will get a number of password prompts for copying the various keychain attributes, but you can cancel these and the passwords will all be saved.

Password revealing in the OS X Terminal

Clicking “Allow” at the multiple prompts will grant the security command access to your keychain and will reveal your passwords one-by-one. This is in stark contrast to the authentication requirement within the Keychain Access utility for revealing or copying passwords in plain text.

This output from the Terminal can easily be saved to a file, meaning that anyone with quick physical access to your Mac may sit down at it, run this command, and have access to your passwords without any prior knowledge of your keychain’s password.

If you are concerned about this ability, then your best bet for securing your system is to ensure nobody can access it when your keychain is unlocked. There are several ways to ensure your keychains are locked on your Mac.

Use a sleep or screen-saver password

  1. Go to the Security & Privacy system preferences.
  2. Click the General tab
  3. Check the box to require password after sleep or screen saver begins
  4. Change the time frame to immediate, or at least something relatively short

Go to the login window

  1. Click your name in the top-right of the menu bar
  2. Choose Login Window from the menu

Specifically lock your keychains

  1. Open Keychain Access
  2. Press Command-comma, or choose Preferences from the Keychain application menu
  3. Check the box in the General section to show keychain status in menu bar
  4. Open this menu (it looks like a lock) and choose Lock Screen, or Lock Keychain(s)

You can also open Keychain Access, right-click your login keychain, and set options to have the keychain lock after a specified timeframe of inactivity, or do so when sleeping.

If you activate these features and ensure your keychain is locked when leaving your system, then you can ensure your passwords and other confidential information in your user account cannot be accessed. In addition, be sure you have FileVault enabled to prevent any physical bypasses of your Mac’s built-in security measures.

2 thoughts on “Protect your Mac from a password-revealing security flaw

  1. B. Jefferson Le Blanc

    Do we need to activate all these features to be secure, or will one or two be enough? I already have a lock set for screensaver and sleep.

  2. xAirbusdriver

    Or simply don’t use Keychain for all your passwords. 1Password, and probably others, will disable itself if you leave it running for a specified period of time, requiring the password to open it again. And ‘dumping’ its collection of sensitive data, much more than simply passwords, will probably provide nothing but encrypted ‘garbage’. But the biggest advantage of a third-party password vault is that it is usable in all your Apple hardware.

    Of course, 1PW is not free, but sometimes you _do_ get more when you pay for it. 😉

Comments are closed.