hoakley August 9, 2023 Macs, Technology

When should you provide a keychain or admin password?

If there’s one thing that you need to remember about keychains, it’s how they can prompt you for a password to grant access to them. This is important, as it’s something that malicious software may try to emulate so that it can take over your Mac. Remember that the password to your default file-based keychain is your normal user password, as well as protection for all your secrets within that keychain, and you’ll understand why this is targeted by attackers.

You will also get perfectly legitimate requests for that and other keychain passwords. Although the login keychain is normally kept unlocked while you’re logged into your Mac, the macOS security system determines whether each request for passwords, certificates, and its other contents are correctly authorised. If the app isn’t trusted or the keychain is locked, then the security system, not the app, displays a dialog asking you for the password to that keychain to authenticate before it will provide the password or other secret to the app.

That authentication dialog is very important: although malware might try to forge it, it contains distinctive features you should always look for:

The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that has asked to access the keychain.
The bold text names the app or component which has called for keychain access, and states which item it’s asking to access: here, a named secure note.
The smaller lettering specifies that it’s asking for the keychain password, that is the password used to unlock the named keychain, not your Apple ID or any other password.
If you’re in any doubt about its authenticity, click on the Deny button and the request will be denied.
If you’re in any doubt about its authenticity, you can open Keychain Access, lock the keychain there, and repeat the action while watching the keychain to ensure that it’s unlocked and handled correctly.

Note that it doesn’t provide or ask for your user name, only the password for that keychain.

Older versions of macOS may display this slightly differently, but still contain the same key items of information to reassure you that the request is genuine. While Ventura has changed many of these dialogs to its new vertical format, this remains unchanged, and shouldn’t change in Sonoma either.

That request to unlock a keychain is quite different from other requests for your admin user’s password to obtain authentication for other purposes, such as a process running a privileged helper. In Ventura and later, that has adopted the new format and should contain the following:

The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that is asking for your password.
Bold text names the app making the request.
Below that is a general indication of the purpose of the request.
Below that is the instruction to Enter your password to allow this.
There are two text boxes, to contain your user name (already completed) and password.
There are only two buttons, one of which may be OK or something more specific, and the other is Cancel.
If you’re in any doubt as to its authenticity, click on the Cancel button to deny the request, and consult the app’s documentation.

That too may be forged by malicious software, so you need to be familiar with its layout and contents.

The simple summary is that, if you’re ever in any doubt that a request for a keychain or admin user password is completely genuine, click on Cancel or Deny, and check with the app concerned whether the request is expected.

20Comments

Add yours

1

Nick on August 9, 2023 at 7:42 am

This is a big subject, but I have long worried about the monolithic nature of the Keychain and the immense risk of it being plundered by malware. I have a few questions:

1. Firstly, if a malicious actor wanted to access the keychain, how possible would it be to gain access to the WHOLE keychain through a “legitimate” (in terms of the access through the OS, not the coerced authentication) programmatic route? Or is it only possible to access one (or a few) item(s) in the Keychain?

2. The Keychain authentication dialog would be very easily forged by a malicious actor, maybe through a website, but having presented this forged dialog, how easy is it for the Keychain to be accessed programmatically and fraudulently, bypassing the display of a dialog, using the credentials that have been obtained?

3. I have tried to somewhat silo my various devices so that there are different usernames and passwords for my file server, mail accounts, computers, and so on. However the Keychain is one big repository of immense value (and risk) to me with the same password as my computer, including passwords for devices as well as websites and various other things. This is very convenient but a big vulnerability, and potentially undoes the creation of a range of passwords for different resources. Why is there not more of a “separated” approach to the Keychain with different keychains for different types of resources, to which you could assign different passwords? This would undoubtedly complicate the saving of credentials into the Keychain, as you would have to choose which keychain to store them into, but it would be much less vulnerable.

4. Following on from the above, even if the OS dialog is displayed, the information it provides to the user can be very limited and often is not enough to assist even an educated user to judge whether the request is valid or not. Is there anything that Apple can do to validate more rigorously whether the attempt to access the Keychain is valid or not?

Sorry for the detail in the above, but these are things that have been concerning me for a while now, and the Keychain is a worryingly big potential vulnerability into my whole (and my business’) digital life.

Having said that, macOS is more robust in this area than Windows which simply asks you to click on a button to approve many changes to the computer.

LikeLiked by 2 people
- 2
  
  hoakley on August 9, 2023 at 8:31 am
  
  Thank you.
  If you read my previous overview, you’ll see that far from being monolithic, Macs have several keychains, each with different access controls and contents. macOS is currently in transition from using its login file-based keychain for most secrets storage to using the Data Protection keychain either shared in iCloud or stored locally as Local Items. Add passwords through Safari now, for instance, and you’ll find them being kept in the Data Protection keychain. One of the driving forces behind this is that file-based keychains can’t be secured as well as the DP keychain can.
  1. No single app can gain access to the whole of the login or any other keychain. Individual items within that will remain restricted to it without the user approving its access and providing the keychain password: the Keychain Access example above is evidence.
  2. I don’t agree. In its entirety, it’s actually a lot harder to forge than you might think. I’m not aware of any malicious software that has succeeded in doing so, and it’s even harder if you try through a website.
  3. The whole purpose of a keychain is to avoid your having to enter every password your Mac would otherwise require. Each item in a keychain has its access limited through the security system. You’ll see some items that merely require that app to have approved access to the whole keychain, while others can only be accessed by specific apps, or the user will be prompted for their explicit permission. You can always create your own keychains and set your own policies there if you wish. However I think you’ll quickly get fed up with having to enter passwords all the time.
  4. I disagree completely. The info tells you exactly which app, which keychain, and which item in that keychain it wishes to access. There really isn’t any more to know, is there? If it doesn’t make sense that that app is making the request, simply Cancel it and check with the app’s documentation or support. If those can’t explain the request, then don’t allow it in the first place. I fail to see how macOS could perform any additional validation.
  
  The big vulnerability in keychains isn’t within them, or their protection: it’s the user being fooled into giving their keychain password to a malicious app in response to an obviously bogus dialog. That said, DP keychains are far harder for the malicious to subvert, hence the slow transition.
  It’s also worth bearing in mind that the more users have to allow genuine access requests, the more likely they are to allow false requests. There’s a fine balance to be struck.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Udo Thiel on August 9, 2023 at 11:51 am
    
    There were at least two keychain exploits in recent history, Patrick Wardle showed one for High Sierra, and Linus Henze one for Mojave. IIRC they both attacked files-based keychains.
    
    LikeLiked by 2 people
    - 4
      
      hoakley on August 9, 2023 at 12:41 pm
      
      You have a good memory – you’re right on both POCs. And that’s why Apple is trying to move away from file-based keychains.
      Howard.
      
      LikeLiked by 1 person
5

Beatrix Willius on August 9, 2023 at 9:43 am

Does clicking on Deny in the Keychain dialog still close down the entire Keychain? I’ve done that a couple of times when I clicked on deny in my own app. Afterwards I had to restart the computer to get access to the Keychain again. macOS High Sierra. I was never keen on testing that on newer versions of macOS.

The users have undergone so much clicker training that just want to go any dialog away. Many dialogs all lack context so that the users doesn’t have a clue to understand the meaning.

In Sonoma the security idiocy continues with new warnings. One of them is “app would like to access data from other apps”. Which app is accessed? Is this good or bad? Apps have to communicate all the time. Especially large apps with a herd of helper apps.

LikeLiked by 2 people
- 6
  
  hoakley on August 9, 2023 at 10:49 am
  
  Clicking Deny has never, to the best of my knowledge, done anything more than deny that specific request. The worst that it could do would be to lock that keychain, which is readily unlocked the next time anything needs access to it. However, if the app that is denied does something inappropriate, it could cause problems, perhaps. If your app handles a denied request properly, then nothing else should happen, and it’s well worth testing, as users could easily deny the request.
  Keychain dialogs have carried the same info as they do now since Sierra and before, and never appear without it. So there’s no excuse that they’re too hard to understand, or don’t give the user sufficient info. Sadly, the same can’t be said for TCC and other subsystems that present dialogs that are rubbish by comparison.
  Howard.
  
  LikeLiked by 1 person
7

SarahB on August 9, 2023 at 11:22 am

After your previous article on keychain I looked closer to see if I could use it for passwords like I do with 1password7. Then I found that password thing apple built into macOS kind of recently. I remember seeing it in safari but even now in settings it’s on the side menu and has its own spot. When I go to it though just says ‘passwords are locked’, enter the password for the user ****** to unlock.

When I put in my user password nothing was there. No passwords I mean but I never set it up. I just wish apple gave us more info. Sorry since I know you wrote about keychain but I’m still stuck on 1pass7 and never used 8. Don’t know how much longer 7 will be supported. I tried to look at using keychain or this password thing but don’t like how just my user password is the key. I prefer using a very long master password like I do in 1pass.

I really prefer to use a separate password manager but I know they have been going downhill especially ones like last pass which I never used. I feel the days are numbered for 1pass even before something is leaked. I don’t mean to say keychain is bad. It’s already confusing me how there is this password thing and keychain. Then what if apple makes some changes again as they often do.

I like keychain for what I have been using it for and works fine for me. I just like to keep the majority of my passwords somewhere separate. Very sad how 1password went. I thought I would keep using that app for many years. 1password8 was so terrible and never worked right from the start. I don’t like how they are in control of my passwords also, where 1pass7 I could be in control.

LikeLiked by 2 people
- 8
  
  Udo Thiel on August 9, 2023 at 12:04 pm
  
  Sucurity is all about trust. Who do you trust more? Apple or 1Pass? You do trust Apple, otherwise you shouldn’t use macOS. Trusting a third party automatically increases the attack surface of your Mac.
  
  There is always a trade off between the level of security and the level of commodity. You can’t have both.
  
  LikeLiked by 2 people
  - 9
    
    SarahB on August 9, 2023 at 12:37 pm
    
    I never said I don’t trust apple. Don’t know why you keep thinking I hate macOS. I’m not at risk for using 1password since I have my vault they don’t. I can store it where I want. I was just saying that if apple wants to start dealing with passwords I wish they had more documentation that is all. When I go to passwords in settings there really is nothing helpful there. You really don’t understand what I am saying. I’m done with commenting here.
    
    LikeLiked by 2 people
    - 10
      
      hoakley on August 9, 2023 at 12:43 pm
      
      Please: “I’m done with commenting here.” Your comments, both in macOS and painting articles, are valued.
      Howard.
      
      LikeLiked by 1 person
    - 11
      
      Udo Thiel on August 9, 2023 at 12:52 pm
      
      There is obviously some misunderstanding here. You are talking about hate. I was not talking not about hate. I was talking about trust.
      
      This section is called “Comments”. I don’t think I did anything else than make comments.
      
      LikeLiked by 2 people
- 12
  
  hoakley on August 9, 2023 at 12:38 pm
  
  Thank you.
  “don’t like how just my user password is the key. I prefer using a very long master password like I do in 1pass.”
  If your user password is that weak, perhaps you should use a more robust password that instead? After all, that’s what gives a potentially malicious process access to your whole Mac as root user, and access to all the data protected by FileVault.
  Howard.
  
  LikeLiked by 1 person
  - 13
    
    SarahB on August 9, 2023 at 1:13 pm
    
    My password isn’t weak. It’s not even about my user password though for me. Kind of more about keeping all eggs in one basket. I like to keep some things separate. Sorry I don’t mean to sound angry or argue. Just for so long places I kept my passwords had its own master key as an extra level of security. So it’s more my problem and worried about trying something new. I don’t like change much.
    
    I have a system with what I use now and I’m able to back up my vault and save it where I want often. I just don’t know how any of this would work in macOS in the passwords area. I’m not talking about keychain also but this new passwords thing in macOS but I know its all connected. I see it saves them into the keychain also. Since I used a password manager so long, switching to something new will just take time. A lot of stuff is in my password manager so I like to know what I’m getting into first to make sure everything will work.
    
    I found a page at apple explaining passwords, I just don’t know if it has the same features like letting me store images along with a password or screen shots or one time passwords. I don’t mean one is better than another. It’s more me and fear of change.
    
    Also I have my mom using 1password and its been so hard to get her at her age to finally using it well. She also is using 1pass7 not 8. So I will have to get her to change to apple’s passwords also. I will try and see how it goes by just moving a few passwords but I still use 1password as a vault of sorts not just passwords there but a lot of docs and things also like drivers license stuff and just don’t know if apple’s passwords is set up the same to allow such things in it.
    
    Sorry to write so much but this is a big deal for me to switch over to and takes a lot of explaining.
    
    LikeLiked by 2 people
    - 14
      
      hoakley on August 9, 2023 at 8:24 pm
      
      I appreciate that, and always welcome your comments. I have an article coming, probably on Friday, that might help you to decide what to do with your other sensitive data.
      Howard.
      
      LikeLike
  - 15
    
    SarahB on August 9, 2023 at 1:17 pm
    
    Sorry couldn’t edit my reply. I did try to create a new password in the settings app but I see it’s too simple. Didn’t even let me pick the length of a password or what characters to use. No one time password option. Just a place for notes but no images. So this is why I can’t use it. Maybe it will get better in time but for now there is no other app I can use to replace what I am currently using. Not that I don’t trust it or don’t like it, it just has to have the options I need to store all my info.
    
    LikeLiked by 2 people
16

John Gilbert on August 9, 2023 at 11:23 am

The number of times, each day, that I have to type my password has got out of control. Supposedly for “security”. I have got to the stage where a) I hardly do more than glance at the pop up (I certainly don’t study the details of an icon), b) I have a Keyboard Maestro shortcut which enters the password for me, and c) just do it. Perhaps bad practice, but the sheer number of security checks makes me blasé about the whole process. The level of risk seems to be low – negligible likelihood of moderately severe consequences. I hope there is a subconscious check each time (I am ex IT security), but conscious checking of details has long gone.

I don’t mind the brief warning, but really it just needs “yes” and “no”. I type my medium long password at login or wake up – that should be enough.

LikeLiked by 2 people
- 17
  
  Udo Thiel on August 9, 2023 at 12:06 pm
  
  You are obviously not using a Mac with Touch ID.
  
  LikeLiked by 2 people
- 18
  
  hoakley on August 9, 2023 at 12:40 pm
  
  I’m sorry to hear that. That’s precisely my point: giving your password for a privacy control using TCC is different. It’s really important to examine the dialog properly, or you could well hand your password to something malicious. That’s why this dialog is different, and needs to be read and checked more carefully than any other.
  Howard.
  
  LikeLiked by 1 person
19

Mike S on September 4, 2023 at 11:52 am

One aspect that has, in my opinion, regressed is the loss of clarity. Once it was clear that your “keychain”, an objectively personal item from the real world, was being “accessed”. Now it’s just something wanting permission to make changes or alter settings. Somehow that does not relate as clearly to those real-world items that one reflexively protects.
For many users it might be fine-trimming the turbinator flange and they would be equally clear about what’s happening.
The user now needs additional (unsolicited) instruction on the importance of looking closely and reading carefully a dialog which is interrupting and distracting them from the task they intend.

LikeLiked by 1 person
- 20
  
  hoakley on September 4, 2023 at 5:02 pm
  
  Thank you.
  I’m afraid that I don’t agree with respect to requests for keychain access: they have changed very little since Sierra and earlier, as I state above.
  Requests for admin authentication have always been a problem. System-provided dialogs are fairly standardised, as shown above, but they provide little detail for the user. I wonder, though, how many users would bother to read “requests your admin user password, in order to authenticate to the NSxxxx subsystem to obtain a xxxxx”? Even developers are sometimes puzzled about what needs authentication, and the docs are often uninformative too: man pages with “some of these options may require elevated privileges”.
  Howard.
  
  LikeLike