FileVault login prompt disallows password paste
I use several USB drives for off-site backups, which I recently decided to encrypt using Apple FileVault.
The thought of encrypting drives seems a lot less intimidating now, since I'm using 1Password as a credential vault, because I can generate an arbitrary long, random passphrase to decrypt the drive, and the passphrase will never need to be typed in — right? Wrong!!!
After successfully encrypting the drive, I later connect it, and the Apple FileVault login dialog appears as expected — but it does not allow anything to be pasted into the password field! No right-click > Paste; no Cmd-V, nothing!!
There is an option to remember the passphrase as part of my Keychain. But I don't want to do that, because it will mean the FileVault passphrase is tied to my main OS X login, which is much weaker because it needs to be, since I type it in 10 times a day. Besides, I don't use Apple's Keychain as my credential storage mechanism, I use 1Password.
Disallowing password paste is something I've seen only occasionally before. PayPal disallows password paste when you SET a new password (mildly inconvenient), but allows it when you subsequently log in. A courier company called myHermes (myhermes.co.uk) is the only web site I've used which disallows password paste when you actually log in (I once complained to them about this, but they never responded).
But Apple should know better. What were they thinking?
Since credential vaults are the solution to the "password problem", and the only way to get a password from a credential vault into a target system is by pasting it in manually (or using a programmatic alternative), is there any justification for disallowing paste in a password prompt — ever?
Comments
-
Hi @semblance,
Unfortunately, there's not really anything you can do in this case other than manually typing your password into the input field. I'm not sure why Apple has added this restriction on pasting. It's definitely not helpful for 1Password users. :(
Sorry I don't have a better answer for you!
0 -
One of our users submitted a bug report to Apple: http://www.openradar.me/16489751
I submitted a duplicate of this report to vote it and if you have a developer account, I encourage you to do the same.
0 -
Thanks @JasperP and @roustem. I don't have a developer account, but I have now sent "Feedback" to Apple at http://www.apple.com/feedback/macosx.html.
From the bug report mentioned by @roustem, it looks like the situation is even worse if the encrypted drive is connected when the computer is rebooted — I hadn't tried that. In that case it sounds like the password prompt is modal and you can't even open 1Password to copy the password.
What I tried is the second scenario mentioned in the bug report, which is plugging the encrypted drive into a computer that is already booted up. In that case, you can open 1Password and copy the password, you just cannot paste it.
0 -
Some discussion elsewhere suggests that Apple did this deliberately because "it makes a brute force hack of the dialog box more difficult".
But I don't think this makes sense; if someone has your data, they can easily mount an off-line attack without using Apple's dialog boxes.
If there are security reasons for doing this, they must be more nuanced than some vague notion about preventing brute force hacks.
0 -
Good idea submitting feedback to Apple!
But I don't think this makes sense; if someone has your data, they can easily mount an off-line attack without using Apple's dialog boxes.
It think you're right. An attacker wouldn't copy and paste into Apple's dialog box during a brute force attack.
Please let us know if you have any other questions!
0