Working with OS X Keychain
In the app Keychain Access, I can see a ton of saved passwords which I can view by using my system password. (I don't remember ever setting an official keychain password.)
Are there best practices here for co-existing with OS X Keychain? I'm concerned that I have everything locked up in 1Password but have left the back door open by not locking it down. The list of stuff in Keychain Access is endless. FYI I don't have Safari saving passwords and I don't use iCloud Keychain.
Any tips would be appreciated.
Thanks.
Comments
-
I don't think we have any real best practices here. My recommendation would be to have a strong password for both your 1Password Master Password and your system's account password (ideally not the same strong password, naturally). Nothing much beyond that.
There's little that 1Password can do to help protect the system keychain, and vice versa. If you were extra careful you may want to only store the password in one system and not both. Personally I think that's a bit overkill, but you can never be too careful.
If you have any specific questions, we'd love to answer them.
Rick
0 -
Thanks for your reply. I guess I was concerned because typically a system password is used quite a bit and so tends to be simpler. And I didn't realize you could unlock previously entered passwords in Keychain Access just by knowing the system password. That's a pretty big and unexpected vulnerability that at the very least should be mentioned in your documentation, no? I had thought just knowing my 1Password was enough. Now I have to know both it and the system password, which has to be stronger than just a few chars. (Most people I know keep their system password simple because they have to type it a lot.)
BTW should I lock the Local Items in Keychain Access? Is it supposed to be unlocked? I really wish there was a page somewhere that explained all of this and how to manage the Mac Keychain.
Thanks.
Tim0 -
I didn't realize you could unlock previously entered passwords in Keychain Access just by knowing the system password. That's a pretty big and unexpected vulnerability that at the very least should be mentioned in your documentation, no?
We don't make Keychain Access, so we don't have documentation about it on our site. It's an Apple product, so their site should have documentation for it. Have you tried looking there?
BTW should I lock the Local Items in Keychain Access? Is it supposed to be unlocked? I really wish there was a page somewhere that explained all of this and how to manage the Mac Keychain.
Again, these are questions that Apple should be able to answer, since they make Keychain Access / iCloud Keychain. A good place to start would be the Apple Support site. I'm sure you'll be able to find more information there! :)
Sorry we don't have much information about that! But if you have any questions about 1Password, please let us know.
0 -
Thanks, will do. I guess the reason I'm harping on all of this is because I had thought if I had 1Password and used it correctly, I'd be protected. I didn't realize that if someone knew my system password, they could look at many of my passwords via Keychain Access. Agilebits presents 1Password as the solution, but it's only a partial one.
0 -
Most applications, if the need to save a password, seem to do so using Apple's keychain. Skype for example, my IRC client, Finder etc. Some may make it obvious and ask if you want to save using the keychain for reasons of convenience, some may go ahead and automatically store although if I recall correctly you have to give a program permission to access the keychain and this can be revoked.
One thing I wasn't entirely clear on. When you say you don't have Safari saving passwords have you checked to see if it currently has any stored for you? You can do that by checking the Passwords tab of Safari's preferences and there is a Remove All button that you can use to purge your stored passwords (if there are any).
For me, I have a strong password for both my user account and 1Password. I also encrypt the entire drive too.
Back to the system keychain. I don't know of any great sources but if I come across one I'll post here. I know you can change passwords and if they aren't in sync with your user account you will get asked for it each time and undoing such a think may require creating a fresh login keychain. If you're curious it might be something to try in a test account on your Mac, that way you don't do any harm to your real one.
0
