[X4U] Passwords in Keychains (Keylogger info) - Security info

Kuestner, Bjoern Bjoern.Kuestner at drkw.com
Mon Dec 5 03:54:08 PST 2005 

Putting your passwords in the Keychain is probably your best bet. If you
really want to be on the safe side, choose different passwords for your
keychain and your account login. Otherwise your keychain is just as safe as
your account login password, which, if I recall right, is less secure
encrypted than the password to your keychain.

Apple's keychain is certainly better than using a file with restricted
permissions: Permissions won't protect much if somebody has access to your
account or physical access to your machine.

I would also never trust a shareware password safe even if it claims to have
better encryption. For one, you never know how good the encryption scheme
was implemented and if there is an accidental hole. And then, I would not
trust a shareware when I don't know if it might call home on occasions with
my passwords in it.

The exception to my dislike of non-Apple software in this respect would be
widely known and used open source software. That is probably even safer than
Apple's Keychain, because I trust the scrutiny that common open source
software is going through more than Apple's best efforts. Plus, you never
know if Apple, Microsoft etc. are not subject to CIA requirements with a
secret backdoor to their encryption products. I can hardly imagine that
being the case for GPLed software.

Not that I go to that length. But since we're talking serious here.

In any way, use good passwords. Apple's Tiger has a feature that suggests
good passwords to remember them. But as a rule of thumb you can also build
them for a fantasy line with some "effects" added to it:

"Now, whenever I'm in Germany, I say: Guten Tag." 
	becomes
N,wI'miG,Is:GT. 
	which then becomes for instance
N,w|'m!9,|$:G?.

Don't use the above password anymore. By publishing it here it will sooner
or later show up in dictionairies for password hacking tools.

Some people suggested that people are not interested in my data. Yes, that's
probably true: My letter to aunt Sue is not that interesting to them. But
there's a lot of identity theft going on. A password collection from another
person's machine is "a good thing to have" for the malicious folks out
there.

The biggest threat for OS X machines out there are currently Unix rootkits
which usually imply keyloggers and Trojan Horses. I do not mean "big
threat"! I said "biggest threat" which can still be not much of a threat at
all. Like talking about an attack of the "biggest ant".

I recommend that as a matter of safety
- people do not use an admin account for their daily work (which helps to
some degree to prevent the system becoming infected)
- use good passwords (see above)
- put your Mac behind a router when accessing the internet
- turn off all sharing services they don't need
- turn off all auto-start/-open/-display in Safari, Quicktime, Mail ...
- think twice before double-clicking anything new from the internet, even a
seemingly harmless text file.
- think three, four, five times and ask somebody more experienced for advice
when something strange should happen, like: Why did that textfile ask for
admin privileges to launch TextEdit? Why did that textfile launch not only
TextEdit but also iTunes?
- Always type critical URIs yourself, never follow links from a product page
taking you to your bank or the Paypal-site, for instance.
- If the threats against OS X become more real than they are at the moment,
Virus checkers and 3rd party firewalls could become recommendable as they
are for Windows right now.

All that said ... PowerPC Macs are still pretty safe out of the box. Take
the above as "A guideline to indulge in paranoia".

Bjorn

_______________________________________________
X4U mailing list
X4U at listserver.themacintoshguy.com
http://listserver.themacintoshguy.com/mailman/listinfo/x4u

Listmom is trying to clean out his closets! Vintage Mac and random stuff:
         http://search.ebay.com/_W0QQsassZmacguy1984


--------------------------------------------------------------------------------
The information contained herein is confidential and is intended solely for the
addressee. Access by any other party is unauthorised without the express
written permission of the sender. If you are not the intended recipient, please
contact the sender either via the company switchboard on +44 (0)20 7623 8000, or
via e-mail return. If you have received this e-mail in error or wish to read our
e-mail disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender. 3167
--------------------------------------------------------------------------------

More information about the X4U mailing list