dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
839
share rss forum feed


Black_Mage
iMage
Premium
join:2012-09-12
USA
kudos:1
Reviews:
·Windstream

[OS X] Keychain disappointment

I was really looking forward to having my passwords synced, but already I ran across a website that has requested that Safari not store passwords. Kind of defeats the purpose of that feature.



haroldo

join:2004-01-16
united state
kudos:1

said by Black_Mage:

...a website that has requested that Safari not store passwords. ...

Maybe the subject title of the thread should be Website disappointment.
You can't blame Keychain if a site owner denies Keychain from operating the way you'd like.


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

I would blame Keychain sync for not giving users a choice to override it. 1Password works fine.
--
Nocchi rules.

Expand your moderator at work


rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1

2 recommendations

reply to Black_Mage

Re: [OS X] Keychain disappointment

Click for full size
Actually, you do have a choice to override it. Look in preferences.


Black_Mage
iMage
Premium
join:2012-09-12
USA
kudos:1

said by rjackson:

Actually, you do have a choice to override it. Look in preferences.

Cool! Thanks!


rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1

According to Apple, in order for this feature to be enabled you must also configure your Mac to lock the screen when idle. »support.apple.com/kb/HT5813



dfc888
Premium
join:2003-07-22
San Bruno, CA
reply to Black_Mage

I was like wow, keychain management! Automatic password generation! Woohoo, let's save all my passwords on my Macs and iOS devices!! No more having to remember passwords!!

Oh yea, wtf am I going to do at work or at a public computer?



Nezmo
The name's Bond. James Bond.
Premium,MVM
join:2004-11-10
Coppell, TX
kudos:1
reply to rjackson

said by rjackson:

According to Apple, in order for this feature to be enabled you must also configure your Mac to lock the screen when idle. »support.apple.com/kb/HT5813

I enabled it earlier on my mini. It suggested I set-up a lock screen password but it was not mandatory.

Not sure if I'll use this on my Mac as I don't like Safari.
--
My Gallery
Formerly Nezmo

kes601

join:2007-04-14
Virginia Beach, VA
kudos:2

said by Nezmo:

said by rjackson:

According to Apple, in order for this feature to be enabled you must also configure your Mac to lock the screen when idle. »support.apple.com/kb/HT5813

I enabled it earlier on my mini. It suggested I set-up a lock screen password but it was not mandatory.

Not sure if I'll use this on my Mac as I don't like Safari.

In order to overrule websites that request that Safari not save the password then you indeed do need to setup a lock screen password.


Nezmo
The name's Bond. James Bond.
Premium,MVM
join:2004-11-10
Coppell, TX
kudos:1

said by kes601:

said by Nezmo:

said by rjackson:

According to Apple, in order for this feature to be enabled you must also configure your Mac to lock the screen when idle. »support.apple.com/kb/HT5813

I enabled it earlier on my mini. It suggested I set-up a lock screen password but it was not mandatory.

Not sure if I'll use this on my Mac as I don't like Safari.

In order to overrule websites that request that Safari not save the password then you indeed do need to setup a lock screen password.

Got ya.
--
My Gallery
Formerly Nezmo


darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
kudos:4
Reviews:
·Frontier FiOS
reply to dfc888

said by dfc888:

Oh yea, wtf am I going to do at work or at a public computer?

Use 1Password instead, to display the password in clear text and enter it manually?
--
♬ Dragon of good fortune struggles with the trickster Fox ♬


dfc888
Premium
join:2003-07-22
San Bruno, CA

said by darcilicious:

said by dfc888:

Oh yea, wtf am I going to do at work or at a public computer?

Use 1Password instead, to display the password in clear text and enter it manually?

Understood, but I like to keep 3rd party software usage to a minimum. There is a way to do it by browsing into Safari's autofill settings on the iPhone and viewing the contents. It'll require phone passcode, but it'll show the password in plain text..

modelamac

join:2002-04-13
Waterford, MI
reply to dfc888

What did you do before Mavericks?



rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1
reply to dfc888

Presumably if you care enough about security to let Safari generate strong passwords for you then you probably already use a passcode on your phone, too.



dfc888
Premium
join:2003-07-22
San Bruno, CA
reply to modelamac

said by modelamac:

What did you do before Mavericks?

I memorize a primary 32 character password and use subsets and shorter versions of it on different sites...

I keep an encrypted PDF in an encrypted disk image stored in the cloud somewhere with usernames and memory jogs for the various passwords for when I need them.

I wanted to put my trust in Apple to have a simpler version of what I do, and to have different passwords for different websites.

said by rjackson:

Presumably if you care enough about security to let Safari generate strong passwords for you then you probably already use a passcode on your phone, too.

I do I do!


haroldo

join:2004-01-16
united state
kudos:1

3 edits

said by dfc888:

..., wtf am I going to do at work or at a public computer?

said by dfc888:

said by modelamac:

What did you do before Mavericks?

I memorize a primary 32 character password and use subsets and shorter versions of it on different sites...
...
I wanted to put my trust in Apple to have a simpler version of what I do, and to have different passwords for different websites.
...

A person who memorizes a series of 32 character passwords is most likely one who has an incredibly high degree of respect for security.
Presumably, such a person is also aware of many of the other rules of security, but, clearly should be aware of the most basic and primary rule.... NEVER trust public or work computers. Many companies don't allow employees to use public computers or public WiFi connections to log in remotely.
In addition, the fact that Safari is storing the password doesn't create the breach in security, since by the very fact that the public or work computer can (and most likely does) capture the typed password, the notion of privacy has already been destroyed.

As such, I think this sub thread (complaining about Apple's security deficiency) is just an academic exercise with little practical benefit.
Apple is providing a tool with enhanced security protection for most users. Is it secure enough to protect national secrets? I don't think so, especially considering recent headlines.
So what is the best solution?
Divide your web site passwords into two groups, ones that are vital (such as for your bank account) and ones that aren't (such as for web forums).
When at a public computer or public Wifi, it's okay to surf forums, but restrict your bank account (and other high value information) to your home computer or one that you trust.
If you need to use a public computer to log into a secure site... don't
But if you absolutely must log in, use your memorized password (and hope and pray no one is copying what you type).


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

said by haroldo:

A person who memorizes a series of 32 character passwords is most likely one who has an incredibly high degree of respect for security.

That's really quite simple. What I do is use several English sentenances I will never forget, intersperse non alpha characters for some of the letters, and do an algorithmic init cap on some of the words. Different sentences and algorithms for different applications insures a very strong very long easily remembered pass phrase. This is Ok for logging into your computers, but not for websites.

I have been using 1Password for web access, and have been trying the new password manager in Mavericks. The Mavericks implementation has been falling short. Some sites require no more than 8 chars, others require upper/lower case and a numeral. The Mavericks implemented passwords don't always comply, and you don't seem to have a choice to change it's format to make it compliant. Fortunately, you can use both 1Password and the built-in password manager at the same time.

said by haroldo:

If you need to use a public computer to log into a secure site... don't
But if you absolutely must log in, use your memorized password (and hope and pray no one is copying what you type).

Whenever I am remote, I VPN into my home network and work from there. As you say, no public access is secure in any way, not even for silly surfing. You can bet everything you do is being watched, for advertising purposes at the very least.

I like your 2-groups of passwords method. Similarly, I don't auto-save any real important passwords on my systems. Banking passwords for instance are only saved in my head. Both 1Password and Apple's system send that data to off-site systems, where they are out of your control, and can be compromised.

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

said by TamaraB:

Both 1Password and Apple's system send that data to off-site systems, where they are out of your control, and can be compromised.

Do you have evidence that 1Password does this?

If you choose not to use DropBox or iCloud, your keychain never leaves your system. This is why they also offer WiFi sync (for those that trust this).

Whether you trust AgileBits is a different question, but I am curious where you observed 1Password sending your details off your system.


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

said by Shady Bimmer:

said by TamaraB:

Both 1Password and Apple's system send that data to off-site systems, where they are out of your control, and can be compromised.

Do you have evidence that 1Password does this?our system.

Well, one of the main reasons to use these applications is to synch passwords between computers. The only way that is accomplished is by allowing 1Password to use Dropbox, and Keychain to use iCloud.

Every browser I know of has the ability to remember passwords, that's no big deal. It's keeping them in synch between systems that's the security risk. I am not comfortable allowing my banking and other sensitive financial and medical access passwords leaving my immediate control. Other passwords, like BBR, and other systems I frequent are another matter. There is little damage which can be done if those passwords leak.

I run a Mac Mini server on my home network which provides VPN for all my WiFi access, whether in-house or out. If there was a way to synch passwords via the server, never having them leave my home network, I would feel better about these programs.

I know not how secure Agilebits or Dropbox is; given recent revelations on the subject, i suspect not very. In short, there doesn't seem to be any secure way to synch ALL your passwords between computers without exposing them to unknown/outside security threats, is there?.

But that's just me, I am just a little bit paranoid and very concerned about privacy, who else uses WiFi over VPN at home for their iPads, MacBooks, and iPhones and restricts everything else to ethernet?

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

1 recommendation

WiFi Sync in 1Password does not touch any external server. Depending on the VPN, you may even be able to use that over cellular w/ VPN. Otherwise, you'd have to wait until you get home to perform the sync.
--
University of Southern California - Fight On!


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to TamaraB

said by TamaraB:

Well, one of the main reasons to use these applications is to synch passwords between computers. The only way that is accomplished is by allowing 1Password to use Dropbox, and Keychain to use iCloud.

The choice to send your data offsite is yours. You don't have to use 1Password with a cloud service and many do not.

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

You can also use multiple vaults with 1Password so you can keep your different "secrets" separate. You can synchronize one vault using Dropbox, another using WiFi or USB, and another not synchronized at all.


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Thinkdiff

said by Thinkdiff:

WiFi Sync in 1Password does not touch any external server. Depending on the VPN, you may even be able to use that over cellular w/ VPN. Otherwise, you'd have to wait until you get home to perform the sync.

I didn't know that 1Password could synch over WiFi. I will have to revisit their docs. I am at home now, on my MacBook, WiFi connected VIA VPN, so my Online WiFi data is encrypted. It's pretty much the same setup I use when away from home. My private and public IP address and DNS service is always coming from my server, and CV connection.

What would 1Password synch to? A server share? Or would I have to have my other Macs on to synch with them? Wouldn't there have to be a third party, some man in the middle, involved for this to work?

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Shady Bimmer

said by Shady Bimmer:

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

That would be nice, how, without using an external service?


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Thinkdiff

said by Thinkdiff:

Depending on the VPN ....

I use L2TP with a shared secret. It puts me on my home network as if I were connected at home. Everything, including Time Machine works as if I were local.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to TamaraB

said by TamaraB:

But that's just me, I am just a little bit paranoid and very concerned about privacy, who else uses WiFi over VPN at home for their iPads, MacBooks, and iPhones and restricts everything else to ethernet?

There's nothing wrong with being a little paranoid.

WiFi at home should be using WPA2 by now which already ensures the connection is encrypted and is secure. With modern hardware there is really no downside to layering a VPN on top, however.

I assume that you also have a strong passcode on your iPad, iPhone, and other mobile devices too? You MacBook should be using FileVault2 or other full disk encryption (iPads and iPhones already encrypt their storage by default). In fact every one of my devices (desktops, servers, laptops, mobile) all have their storage encrypted.

While I may or may not trust DropBox, I do not consider it secure. However 1Password keychains and encrypted containers such as encfs/boxcryptor, truecrypt, etc provide known security on top.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to TamaraB

said by TamaraB:

said by Shady Bimmer:

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

That would be nice, how, without using an external service?

With 1Password you would use WiFi sync. That is specifically why AgileBits provides this (it is a commonly used feature). If you do not use a VPN you would only be able to sync on your home network (or other trusted network that has connectivity by the devices you want to sync).


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
reply to TamaraB

said by TamaraB:

said by Thinkdiff:

Depending on the VPN ....

I use L2TP with a shared secret. It puts me on my home network as if I were connected at home. Everything, including Time Machine works as if I were local.

As long as the L2TP tunnel is passing mdns (broadcast) packets, I don't see why it wouldn't work over your VPN.

BTW, VPN over WiFi (w/ WPA2) isn't really necessary when you're already on your own local network. It may even cause problems if the VPN's private space is the same as your local network's space.

Do you run your ethernet connected computers through the VPN, too?
--
University of Southern California - Fight On!


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Shady Bimmer

said by Shady Bimmer:

WiFi at home should be using WPA2

Yes, I use WPA2 Personal on WiFi. With Mac address /restrictions/filtering.

said by Shady Bimmer:

I assume that you also have a strong passcode on your iPad, iPhone, and other mobile devices too?

Yes, long pass phrases. The only way I could do that was to use OSX Server's Profile manager. But yes long secure pass phrases on both iPad and iPhone.

said by Shady Bimmer:

You MacBook should be using FileVault2 or other full disk encryption (iPads and iPhones already encrypt their storage by default). In fact every one of my devices (desktops, servers, laptops, mobile) all have their storage encrypted.

No. After reading up on encrypted Mac filesystems, I was a bit apprehensive about going that route. I understand recovery becomes an issue with encrypted filesystems, as does disk access times. All my Macs are tricked-out with SSDs for speed, and I didn't want to take a speed hit.

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

This thread is really off the rails at this point, but..

MAC address filtering is useless. It causes more headaches for you than anybody trying to get into your wireless network. WPA2 is enough. I'm not even saying there's a trade-off with disabling it. It really, really is useless.

Long passwords can be set on iOS by going to the passcode lock settings. When the keyboard pops up to enter a passcode, press the button on the bottom left to switch between number/alpha. Then just type in any passphrase you want.

FileVault 2 is incredibly fast. If you have a recent Mac (i5 or better from the Westmere line or later, e.g. after 2010), it supports hardware AES encryption. If you have an older Mac, the speed penalty is small. In day-to-day operation, I've noticed zero difference with FileVault 2 turned on. And recovery shouldn't be a concern for you as you use Time Machine.
--
University of Southern California - Fight On!