First, this command definitely should require confirming your password.
Second, I don’t think this is quite as bad as the author is making out because it does require you to be logged in as your user right?
If someone’s logged in as my user they can already make use of those keychain entries without confirming my password, it’s not THAT much worse to be able to dump them all. It is definitely worse but it’s not like they didn’t already have access to all of those entries.
Yeah, unfortunately the phrase “any user” is describing “any person sitting at your keyboard while you are logged in” and not the more typical “any account”.
Various websites have the bug where you can change your password without confirming the old password. I would not describe that situation as “any user can change your password” however.
We just tried this on a friend’s machine, and found that you need to have granted the script editor “assistive access”, which he hadn’t. Enabling this does require a password.
Although I do wonder if apple is capable of enabling this mode…
It is, in fact, possible to configure the login keychain to automatically lock after a specified duration of inactivity. I used to do this (before I switched to Linux and had to deal with not having a keychain at all). It was a slight inconvenience but as streamlined as it possibly could be. Setting it to about ten minutes was sufficient that I’d wind up only unlocking it once per time that I wanted to do things needing login.
You can also turn on a menu item that shows whether it’s locked or unlocked, and can be used to lock it at any time.
It is a lot to expect consumers to know this, and I agree with the article’s complaint that the security model isn’t very well-explained. The advice I’d actually offer to a general audience is much simpler - never let anyone else control your screen unless you’re willing to learn how to secure the system.
[Comment removed by author]
That’s exactly it: The login keychain makes it very easy to securely and conveniently store credentials for users by storing them encrypted & unlocking on login, but all that means that you must lock your screen while you’re not using your computer.
That Apple isn’t making it easy to lock a mac’s screen out of the box is a pretty big problem.
Ctrl-shift-eject or ctrl-shift-power, although you’re right that a menu item would help that quite a bit.
Just wanted to note that ctrl-shift-power is kind of a crappy combo because the power button is all the way up there in the top-right corner of the keyboard. Also if you have a MacBook setup with an external non-Mac keyboard (IE, a keyboard without an eject key), this combo requires that you reach for the power button on your MacBook. Of course you can use third-party tools, AppleScript, or custom keyboard firmware to set up an alternate mapping, but that’s tedious and we shouldn’t expect regular users to have to do that.
Gnome uses super-l to lock the screen, which doesn’t have these issues, and is also easy to remember because of the mnemonic “l for lock”.
Windows uses the same “windows+L” combination to lock, and my keyboard actually has an explicit “lock” key combination (Fn+F2, which generates XF86ScreenSaver) that I’ve configured for the purpose. Screen locking is one of those fundamental keyboard shortcuts that should get pride of place, not relegated to the bucket of forgettable two-modifier shortcuts.
There is an entire menu. Applications > Utilities > Keychain Access > Preferences… > General > Show keychain status in menu bar.
Edit: I should probably mention that choices in the menu include “lock screen” and “lock keychain”.
It’s extremely easy using “Hot Corners” - my MBP goes to a password-protected screensaver immediately once I move the cursor to the upper-right corner of the screen.
You could argue that this should be enabled out of the box I suppose, but it’s really quite trivial to do.
God no, I loathe hot corners. The keyboard shortcut is far easier.
This is the right answer. It’s not a “security flaw,” the flaw is the access control given to said “attacker.” If you’ve let someone on your system, they can easily get your keys. That’s why one should use guest accounts/limited privileges when other people are to use the system.
When I’ve logged into my debian user account I’d never let someone touch my system.
Looks like it’s a CLI tool can’t run this in the background without you noticing which I first thought when I saw it. One will get a popup asking of one wants to allow it access and only if circumventing that dialog, through the script suggested in the article, will one actually get any passwords.
There’s some great discussion over on HN about whether this is more about overall user experience or a “security flaw.”
Except for linking to specific comments as a reference for a quote, let’s stop posting links to the same submission on HN.
I’d wager most people here are aware of HN but choose to come here instead (or at the same time, like I do for example). Posting a link to the other discussion doesn’t contribute to the one happening here.