Related link: http://chuck.goolsbee.org/archives/14
I love my Keychains. I have two: my really, really secure one, and my normal every day one. My normal contains my passwords for things like my blogs, logins for the New York Times and Washington Post, and various other trivial passwords that I’m supposed to remember on a whim. My email and several other more critical things, like my bank logins and whatnot, remain hidden and secure in my sooper sekrit keychain. My friend Chuck discovered an infuriating behavior in OS X Tiger this week that makes me wonder about the security of the keychain feature:
On a whim, in MacOS X 10.4, because I was tired of my old login passwd, I changed it. No biggie, right?
I was presented with a dialog, basically saying “Your keychain password has also been changed.” …huh?
Bahhhh!!! No! I didn’t want that!
What’s worse is that he can’t change it back. Like my simple keychain, his simple keychain password is engrained in muscle memory. Unlike my simple keychain, his simple keychain password is short, and so Apple won’t accept it. The purpose of the keychain system is to allow many keychains with varying degrees of security, and increasingly difficult passwords. Is there a way that Chuck can go back to using his short, but secure, password?
Keychain Woes? Share on.
well...
If you really want to worry, grab your keychain file (most people do use login.keychain that I know) , copy the keychain file to a different machine, overwriting the old keychain file, then change the password for that user via System Prefs/Accounts (which also changes the keychain password)
Now - open keychain access and note that anyone could read your keychain/passwords, if they had a copy of the file.
ouch. that's grim.
I guess I assumed the keychain was hashed with your old password. If it's not - doesn't that imply that either all keychains are encrypted with the same key or that the master key itself is stored in the keychain?
FUD, rants, and misinformation
Did you even try this, or are you just repeating misinformation?
First of all, the keychain DOES let you have ANY LENGTH password you want. The alert that comes up is just a warning; if you proceed to click OK, the password you've entered is accepted, even if it's 0 characters long.
Second, your keychain password can ONLY be changed to a new password IF you supply the old keychain password to decrypt it. Read that last sentence again.
In the Accounts pref pane, if your login keychain's password is ALREADY THE SAME as your old account password, then it's able to change the password for that keychain, and keep it in sync with your new account password. You provided the keychain's old password, which allowed the change to occur. HOWEVER, if your keychain password was DIFFERENT than your login password, the attempt fails. Your keychain password ISN'T changed.
This means that an administrator CANNOT come along and change your password to gain access to your keychain, or force you to keep your keychain passwords in sync with your account password, or copy your keychain to a different machine and change that user's password, or any of the other scenarios mentioned. Try it for yourself.
FUD, rants, and misinformation
I did just try it, and you're right. However, this is a *stupid* behavior. The popdown that warns you that this is insecure gives you NO indication that the password will be accepted the second time around. This is a bad behavior and ought to be changed.