empty banner ad

Password Security and Keychain Access

Breandan Dezendorf | Mar 17, 2010 | Comments View Comments


Recently I was helping a friend with their computer, and in the process, I ran Software Update. My friend was in the other room, and I called out “I’m going to need your password in a minute”, thinking they would come from the other room and type it in. Sadly, they called back the following string of numbers:

1 – 2 – 3 – 4 – 5 – 6

This was the password I had put in 9 months ago, when I had last restored their computer from a backup. (Yes, I had done the backup). It’s only marginally better than the worst password you can possibly pick – no password at all. It occurred to me that a lot of people don’t practice good password security for the same reason they don’t do backups – they don’t see why it’s important. Their computer keeps working, same as it did the day before, so why should they go through the hassle of changing their password, just to slow themselves down when their computer asks for said password?

Again, much like backups, a lot of people don’t get smart about about password security until they have been burned once. Imagine this: your laptop gets stolen, and you have no backup, so all your family photos, personal emails, and (probably) work documents are now gone. Once the thief is back in a quiet place, they log in to the computer, and open Mail, Thunderbird, or the web browser, and log into the your email account. (Web based email is no safer, as most people check the box to “remember me on this computer”.) Once they have access to the account they can look for banking information and reset passwords on other sites that may not be saved, as the password change requests will be emailed directly to the thief. Or the thief may find emails from your friends saying that they are out of town, and could you please use the key under the flowerpot to get in and feed the cat?

While this really is a worst-case scenario, it doesn’t have to be. If you can’t remember the last time you changed your password, stop what you are doing, right now, and change your user account password. (Apple Menu->System Preferences->Users->Change Password). I’ll wait. I also suggest turning off the Automatic Login feature, but I know that’s asking a lot. (The benefit is that a thief who accidentally reboots the computer won’t be able to get back into it.)

Didn’t take my advice? Go change your password! At least once a year. I can’t stress this enough. If you are bad at passwords, make it something you can easily remember – your favorite number, the color of your car and your pet’s name strung together would work for a first attempt. Really, choose any combination that you are comfortable with and that you can remember. If you think you won’t remember it, write it down on the back of a business card and put it in your wallet. (Don’t write down what it is, of course – just the password itself.) This way, if you forget it, you can get it back easily, but thieves won’t get it when they grab your laptop.

Now, it’s time to secure a lot more stuff for very little extra work. Open Keychain Access, in the Utilities folder inside your Applications folder, and create a new keychain. Call it “Secure Account Info” or something to that effect. If you like, give it the same password you just set for your account (and that you also stuck in your wallet a minute ago). Unlock the new Keychain, which should appear on the left hand side of the utility, and from the file menu, create a new Secure Note. Call it “User Account Logins” or something else descriptive. Write down your old password, and today’s date. This way, you won’t forget what it was, in case you need it again. Every time you change your password, open Keychain Access, and add the new password to the secure note. Keychains are saved with incredibly strong encryption to prevent malicious people from doing things with your data – so this is the one place it’s really safe to save your passwords. Keep in mind that if you forget the password, you aren’t going to get it back. (Again, this is why I recommend putting a copy in your wallet.)

Here are some screenshots to help along the way:

At this point, start creating more secure notes, for your banking records, for your online logins, and for any other kind of sensitive data. Personally, I keep all my frequent flyer information, credit card numbers, paypal login and payment information, bank routing numbers and health-related information in my secure Keychain.

Two final notes: First – you may be wondering why you should create a new Keychain, when there is a perfectly good keychain in the utility that is already unlocked, called “login”. The fact that it is unlocked is precisely the reason. The login keychain is unlocked when you log into the computer – so why make it easy for an thief to get in? If you turned off automatic login as I suggested earlier, it makes it even harder for someone who is up to no good to get in and wreak havoc.

Second – if you are using Dropbox, it’s a good idea to create the new Keychain directly in the shared folder. It’s secured with AES encryption, and it’s incredibly unlikely that anyone can break it without already knowing you password. By saving it to Dropbox, you have a copy you can get back on any other computer, so your secure notes travel around with you and are easy and safe to update.

This is a post made by a freelance blogger. The opinions stated are not necessarily those of Shufflegazine or CENTIMETERCUBE Publishing.

Popularity: 2% [?]

Related posts:

  1. Better Password Management with 1Password
  2. Apple Seed
  3. Want US$10,000? Hack CEOs email!
  4. Mac users have a false sense of security
  5. May I Have a Word Please: Security or Obscurity

Filed Under: AppleHints & TipsMac

Tags:

About the Author: Breandan is a UNIX Systems Administrator, who has been using the Macintosh since 1984. He dabbles heavily in photography, enterprise-scale monitoring and UNIX trickery.

  • Thanks for the hint about using Dropbox!
blog comments powered by Disqus