dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4
share rss forum feed

modelamac

join:2002-04-13
Waterford, MI
reply to dfc888

Re: [OS X] Keychain disappointment

What did you do before Mavericks?


dfc888
Premium
join:2003-07-22
San Bruno, CA
said by modelamac:

What did you do before Mavericks?

I memorize a primary 32 character password and use subsets and shorter versions of it on different sites...

I keep an encrypted PDF in an encrypted disk image stored in the cloud somewhere with usernames and memory jogs for the various passwords for when I need them.

I wanted to put my trust in Apple to have a simpler version of what I do, and to have different passwords for different websites.

said by rjackson:

Presumably if you care enough about security to let Safari generate strong passwords for you then you probably already use a passcode on your phone, too.

I do I do!


haroldo

join:2004-01-16
united state
kudos:1

3 edits
said by dfc888:

..., wtf am I going to do at work or at a public computer?

said by dfc888:

said by modelamac:

What did you do before Mavericks?

I memorize a primary 32 character password and use subsets and shorter versions of it on different sites...
...
I wanted to put my trust in Apple to have a simpler version of what I do, and to have different passwords for different websites.
...

A person who memorizes a series of 32 character passwords is most likely one who has an incredibly high degree of respect for security.
Presumably, such a person is also aware of many of the other rules of security, but, clearly should be aware of the most basic and primary rule.... NEVER trust public or work computers. Many companies don't allow employees to use public computers or public WiFi connections to log in remotely.
In addition, the fact that Safari is storing the password doesn't create the breach in security, since by the very fact that the public or work computer can (and most likely does) capture the typed password, the notion of privacy has already been destroyed.

As such, I think this sub thread (complaining about Apple's security deficiency) is just an academic exercise with little practical benefit.
Apple is providing a tool with enhanced security protection for most users. Is it secure enough to protect national secrets? I don't think so, especially considering recent headlines.
So what is the best solution?
Divide your web site passwords into two groups, ones that are vital (such as for your bank account) and ones that aren't (such as for web forums).
When at a public computer or public Wifi, it's okay to surf forums, but restrict your bank account (and other high value information) to your home computer or one that you trust.
If you need to use a public computer to log into a secure site... don't
But if you absolutely must log in, use your memorized password (and hope and pray no one is copying what you type).


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
said by haroldo:

A person who memorizes a series of 32 character passwords is most likely one who has an incredibly high degree of respect for security.

That's really quite simple. What I do is use several English sentenances I will never forget, intersperse non alpha characters for some of the letters, and do an algorithmic init cap on some of the words. Different sentences and algorithms for different applications insures a very strong very long easily remembered pass phrase. This is Ok for logging into your computers, but not for websites.

I have been using 1Password for web access, and have been trying the new password manager in Mavericks. The Mavericks implementation has been falling short. Some sites require no more than 8 chars, others require upper/lower case and a numeral. The Mavericks implemented passwords don't always comply, and you don't seem to have a choice to change it's format to make it compliant. Fortunately, you can use both 1Password and the built-in password manager at the same time.

said by haroldo:

If you need to use a public computer to log into a secure site... don't
But if you absolutely must log in, use your memorized password (and hope and pray no one is copying what you type).

Whenever I am remote, I VPN into my home network and work from there. As you say, no public access is secure in any way, not even for silly surfing. You can bet everything you do is being watched, for advertising purposes at the very least.

I like your 2-groups of passwords method. Similarly, I don't auto-save any real important passwords on my systems. Banking passwords for instance are only saved in my head. Both 1Password and Apple's system send that data to off-site systems, where they are out of your control, and can be compromised.

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
said by TamaraB:

Both 1Password and Apple's system send that data to off-site systems, where they are out of your control, and can be compromised.

Do you have evidence that 1Password does this?

If you choose not to use DropBox or iCloud, your keychain never leaves your system. This is why they also offer WiFi sync (for those that trust this).

Whether you trust AgileBits is a different question, but I am curious where you observed 1Password sending your details off your system.


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
said by Shady Bimmer:

said by TamaraB:

Both 1Password and Apple's system send that data to off-site systems, where they are out of your control, and can be compromised.

Do you have evidence that 1Password does this?our system.

Well, one of the main reasons to use these applications is to synch passwords between computers. The only way that is accomplished is by allowing 1Password to use Dropbox, and Keychain to use iCloud.

Every browser I know of has the ability to remember passwords, that's no big deal. It's keeping them in synch between systems that's the security risk. I am not comfortable allowing my banking and other sensitive financial and medical access passwords leaving my immediate control. Other passwords, like BBR, and other systems I frequent are another matter. There is little damage which can be done if those passwords leak.

I run a Mac Mini server on my home network which provides VPN for all my WiFi access, whether in-house or out. If there was a way to synch passwords via the server, never having them leave my home network, I would feel better about these programs.

I know not how secure Agilebits or Dropbox is; given recent revelations on the subject, i suspect not very. In short, there doesn't seem to be any secure way to synch ALL your passwords between computers without exposing them to unknown/outside security threats, is there?.

But that's just me, I am just a little bit paranoid and very concerned about privacy, who else uses WiFi over VPN at home for their iPads, MacBooks, and iPhones and restricts everything else to ethernet?

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

1 recommendation

WiFi Sync in 1Password does not touch any external server. Depending on the VPN, you may even be able to use that over cellular w/ VPN. Otherwise, you'd have to wait until you get home to perform the sync.
--
University of Southern California - Fight On!

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to TamaraB
said by TamaraB:

Well, one of the main reasons to use these applications is to synch passwords between computers. The only way that is accomplished is by allowing 1Password to use Dropbox, and Keychain to use iCloud.

The choice to send your data offsite is yours. You don't have to use 1Password with a cloud service and many do not.

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

You can also use multiple vaults with 1Password so you can keep your different "secrets" separate. You can synchronize one vault using Dropbox, another using WiFi or USB, and another not synchronized at all.


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Thinkdiff
said by Thinkdiff:

WiFi Sync in 1Password does not touch any external server. Depending on the VPN, you may even be able to use that over cellular w/ VPN. Otherwise, you'd have to wait until you get home to perform the sync.

I didn't know that 1Password could synch over WiFi. I will have to revisit their docs. I am at home now, on my MacBook, WiFi connected VIA VPN, so my Online WiFi data is encrypted. It's pretty much the same setup I use when away from home. My private and public IP address and DNS service is always coming from my server, and CV connection.

What would 1Password synch to? A server share? Or would I have to have my other Macs on to synch with them? Wouldn't there have to be a third party, some man in the middle, involved for this to work?

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Shady Bimmer
said by Shady Bimmer:

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

That would be nice, how, without using an external service?


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Thinkdiff
said by Thinkdiff:

Depending on the VPN ....

I use L2TP with a shared secret. It puts me on my home network as if I were connected at home. Everything, including Time Machine works as if I were local.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to TamaraB
said by TamaraB:

But that's just me, I am just a little bit paranoid and very concerned about privacy, who else uses WiFi over VPN at home for their iPads, MacBooks, and iPhones and restricts everything else to ethernet?

There's nothing wrong with being a little paranoid.

WiFi at home should be using WPA2 by now which already ensures the connection is encrypted and is secure. With modern hardware there is really no downside to layering a VPN on top, however.

I assume that you also have a strong passcode on your iPad, iPhone, and other mobile devices too? You MacBook should be using FileVault2 or other full disk encryption (iPads and iPhones already encrypt their storage by default). In fact every one of my devices (desktops, servers, laptops, mobile) all have their storage encrypted.

While I may or may not trust DropBox, I do not consider it secure. However 1Password keychains and encrypted containers such as encfs/boxcryptor, truecrypt, etc provide known security on top.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to TamaraB
said by TamaraB:

said by Shady Bimmer:

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

That would be nice, how, without using an external service?

With 1Password you would use WiFi sync. That is specifically why AgileBits provides this (it is a commonly used feature). If you do not use a VPN you would only be able to sync on your home network (or other trusted network that has connectivity by the devices you want to sync).


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
reply to TamaraB
said by TamaraB:

said by Thinkdiff:

Depending on the VPN ....

I use L2TP with a shared secret. It puts me on my home network as if I were connected at home. Everything, including Time Machine works as if I were local.

As long as the L2TP tunnel is passing mdns (broadcast) packets, I don't see why it wouldn't work over your VPN.

BTW, VPN over WiFi (w/ WPA2) isn't really necessary when you're already on your own local network. It may even cause problems if the VPN's private space is the same as your local network's space.

Do you run your ethernet connected computers through the VPN, too?
--
University of Southern California - Fight On!


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Shady Bimmer
said by Shady Bimmer:

WiFi at home should be using WPA2

Yes, I use WPA2 Personal on WiFi. With Mac address /restrictions/filtering.

said by Shady Bimmer:

I assume that you also have a strong passcode on your iPad, iPhone, and other mobile devices too?

Yes, long pass phrases. The only way I could do that was to use OSX Server's Profile manager. But yes long secure pass phrases on both iPad and iPhone.

said by Shady Bimmer:

You MacBook should be using FileVault2 or other full disk encryption (iPads and iPhones already encrypt their storage by default). In fact every one of my devices (desktops, servers, laptops, mobile) all have their storage encrypted.

No. After reading up on encrypted Mac filesystems, I was a bit apprehensive about going that route. I understand recovery becomes an issue with encrypted filesystems, as does disk access times. All my Macs are tricked-out with SSDs for speed, and I didn't want to take a speed hit.

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
This thread is really off the rails at this point, but..

MAC address filtering is useless. It causes more headaches for you than anybody trying to get into your wireless network. WPA2 is enough. I'm not even saying there's a trade-off with disabling it. It really, really is useless.

Long passwords can be set on iOS by going to the passcode lock settings. When the keyboard pops up to enter a passcode, press the button on the bottom left to switch between number/alpha. Then just type in any passphrase you want.

FileVault 2 is incredibly fast. If you have a recent Mac (i5 or better from the Westmere line or later, e.g. after 2010), it supports hardware AES encryption. If you have an older Mac, the speed penalty is small. In day-to-day operation, I've noticed zero difference with FileVault 2 turned on. And recovery shouldn't be a concern for you as you use Time Machine.
--
University of Southern California - Fight On!


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Thinkdiff
said by Thinkdiff:

As long as the L2TP tunnel is passing mdns (broadcast) packets, I don't see why it wouldn't work over your VPN.

I don't know what that means . Will have to look it up

said by Thinkdiff:

BTW, VPN over WiFi (w/ WPA2) isn't really necessary when you're already on your own local network. It may even cause problems if the VPN's private space is the same as your local network's space.

Yes, I get an address in the same address space over VPN (Local and remote) 10.0.1.XX. I have not observed any issues, it just works. Possibly because it's a Mac OSX server providing the VPN, DNS, and routing?

said by Thinkdiff:

Do you run your ethernet connected computers through the VPN, too?

No. I ASSUME that data is restricted to the copper wire. At least I think so. However, when I am at my GF's, and ethernet connected, I do run through my VPN. She has all sorts of stuff connected including WinDoze machines, I treat that network like any other hostile network.

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to TamaraB
said by TamaraB:

Yes, I use WPA2 Personal on WiFi. With Mac address /restrictions/filtering.

I use MAC address filtering too, but realize that it really does not offer anything in the way of security (it is trivial to spoof a hardware address, and it is trivial to identify an authorized hardware address)
said by TamaraB:

No. After reading up on encrypted Mac filesystems, I was a bit apprehensive about going that route. I understand recovery becomes an issue with encrypted filesystems, as does disk access times. All my Macs are tricked-out with SSDs for speed, and I didn't want to take a speed hit.

I'm not sure where recovery becomes an issue, though it depends entirely upon your backup solution. You noted you use Time Machine (as do I), which backs up the unencrypted data. You have the option to additionally encrypt your backups, but the data that is backed up is itself the unencrypted contents.

With respect to performance, you may want to do some testing. Not necessarily running benchmarks, but actually trying it out to see if it makes a noticeable difference. Modern intel processors include acceleration for the types of encryption used most commonly which helps tremendously. I personally don't notice any difference on my mid-2010 MBP.

Getting back to the original topic, Apple's direction with integration of keychains with iCloud is a good thing, even if only to encourage more users to embrace password managers. This is beyond basic browser password caching and is more secure.

Users of 1Password will likely not find any benefit with the Apple solution, especially with the recently released update. However for those that do not use any password manager this is a big step forward.


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Thinkdiff
said by Thinkdiff:

FileVault 2 is incredibly fast. If you have a recent Mac (i5 or better from the Westmere line or later, e.g. after 2010)

All my Macs are Late 2012 i7s with the faster CPU. FileVault can be turned on at any time right?

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Yes it can be enabled or disabled at any time.

As a best practice always ensure you have a good backup (or two). It will take some time to encrypt the drive, but with an SSD this will be much faster than spinning rust.