hoakley March 8, 2024 Macs, Technology

How to tell genuine password requests from fakes

Malware has one common feature: it usually tries to trick you into giving it your password. Without that, it can’t do many of the nasty things it intends, like stealing your private information. One fundamental defence we all have against malware is our ability to distinguish between genuine and fake requests for a password. To help you achieve that, this article looks at some of the standard password dialogs used by macOS. If what you see on your Mac doesn’t match one of these, then it’s most likely to be a fake.

Keychain access

Although your login keychain is normally kept unlocked while you’re logged into your Mac, the macOS security system determines whether each request for passwords, certificates, and other contents are correctly authorised. If the app isn’t trusted or the keychain is locked, then the security system, not the app, displays a dialog asking you for the password to that keychain to authenticate before it will provide the password or other secret to the app.

That authentication dialog is very important: although malware might try to forge it, it contains distinctive features you should always look for:

The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that has asked to access the keychain.
The bold text names the app or component which has called for keychain access, and states which item it’s asking to access: here, a named secure note.
The smaller lettering specifies that it’s asking for the keychain password, that is the password used to unlock the named keychain, not your Apple ID or any other password.
If you’re in any doubt about its authenticity, click on the Deny button and the request will be denied.
If you’re in any doubt about its authenticity, open Keychain Access, lock the keychain there, and repeat the action while watching the keychain to ensure that it’s unlocked and handled correctly.

Note that it doesn’t provide or ask for your user name, only the password for that keychain.

Older versions of macOS may display this slightly differently, but still contain the same key items of information to reassure you that the request is genuine. While Ventura changed many of these dialogs to its new vertical format, this remains unchanged, and hasn’t changed in Sonoma either.

Privilege authentication

The other everyday reason for being asked to enter your password is to authenticate for other purposes that require elevated privileges, such as for a process to run a privileged helper, or to make changes in System Settings.

In Ventura and later, that has adopted the new format and should contain the following:

The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that is asking for your password.
Bold text names the app making the request.
Below that is a general indication of the purpose of the request.
Below that is the instruction to Enter your password to allow this.
There are two text boxes, to contain your user name (already completed) and password.
There are only two buttons, one of which may be OK or something more specific, and the other is Cancel.
If you’re in any doubt as to its authenticity, click on the Cancel button to deny the request, and consult the app’s documentation.

On Macs with Touch ID support and an appropriate keyboard, in many cases now you may first see the prompt for biometric authentication using your fingerprint.

Only if that doesn’t work, or you opt to use your password, should you see the normal dialog. The Touch ID dialog is a strong indicator that this request is genuine, and can be trusted, as malware won’t be able to access this feature through macOS, and it’s not an easy dialog to fake, as the malware would have to detect whether that Mac was able to use Touch ID first.

Dialogs in Recovery are not only different as they’re all in Dark Mode, but they’re far simpler.

Apple ID password

Another common type of password request dialog is that for your Apple ID and password. Unfortunately, these vary more, but have some common features that can help tell the genuine from the fake.

The icon is that of the requesting app, and doesn’t include a locked padlock.
Text that makes it clear that your Apple ID and password are required.
A prompt for the Apple ID, email or phone number, which isn’t pre-completed with your user name.
At least two buttons, one of which is Cancel.
Possibly a link to what to do if you’ve forgotten your password.
If you’re in any doubt as to its authenticity, click on the Cancel button, and check the app’s documentation.

The simple summary is that, if you’re ever in any doubt that a request for a keychain, admin user or any other password is completely genuine, click on Cancel or Deny, and check with the app concerned whether that request is expected.

27Comments

Add yours

1

Arnaud on March 8, 2024 at 7:57 am
Reply

I usually check for another thing when determining if the dialog is a real one: the parent app will usually hang and you can see the wheel mouse cursor on its windows.

While it’s true helpers may not show any UI, I’ve yet to see one showing such a dialog. So, if I ever see an authentication dialog pretending to, say, unlock a setting (system preferences) and the app doesn’t hang, I’ll deny the request.

It would be technically possible for a malware to hang the target app to make it appear real (by sending a Unix signal (SIGSTOP) to the app). It would still need to first load the right pane or “do something” questionnable, though.

LikeLiked by 1 person
- 2
  
  hoakley on March 8, 2024 at 11:45 am
  Reply
  
  Thank you. I’m not sure whether that only applies to unlocking the keychain, though. I think that regular requests, e.g. for elevated privileges, can still be called from outside the main thread, so won’t have the same effect.
  Howard.
  
  LikeLike
  - 3
    
    Arnaud on March 8, 2024 at 1:05 pm
    Reply
    
    I tested right now, and it looks like the whole app is frozen while the dialog waits for the user.
    
    In addition to asking for authorisation in a secondary thread (which blocked the GUI), I also experimented starting a secondary thread (which just outputs ticks to the Console) then asking for authorisation in the main thread. The output ceases when the dialog is shown and resumes after. It looks like all threads are concerned.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on March 8, 2024 at 1:10 pm
      
      Thank you. That’s perhaps a subtle test for an ordinary user, but looks useful in the event of any doubt.
      Howard
      
      LikeLike
5

Steven Joruk on March 8, 2024 at 11:47 am
Reply

This is a really useful article, thanks.

Another way to tell for authorization rights requests is to check the logs for authd to see if the rights really were requested.

I know of one genuine privilege management solution that forges Apple’s authentication request dialogs. It’s also possible to customize Apple’s dialog by extending https://developer.apple.com/documentation/securityinterface/sfauthorizationpluginview. I wish Apple’s dialog would show more information on request, like which rights are being granted.

LikeLiked by 1 person
- 6
  
  hoakley on March 8, 2024 at 11:52 am
  Reply
  
  Thank you.
  “one genuine privilege management solution that forges Apple’s authentication request dialogs” How did that get past notarization? Surely that would be refused by Apple?
  “It’s also possible to customize Apple’s dialog” Does that break Apple’s standard principles in the dialog, though, or just add to them?
  “which rights are being granted” I’m not sure that many users would understand those, would they?
  Howard.
  
  LikeLike
7

Steven Joruk on March 8, 2024 at 11:48 am
Reply

This is a really useful article, thanks.

Another way to tell for authorization rights requests is to check the logs for authd to see if the rights really were requested.

I know of one genuine privilege management solution that forges Apple’s authentication request dialogs. It’s also possible to customize Apple’s dialog by extending https://developer.apple.com/documentation/securityinterface/sfauthorizationpluginview. I wish Apple’s dialog would show more information on request, like which rights are being granted.

LikeLike
8

B. Harris on March 8, 2024 at 3:30 pm
Reply

Even with all of this, the malware developer could just screenshot the valid dialog and use that in the malware package. My amateur 2 cents — Apple should create a password entry animation that is easy to distinguish and hard to copy. So if malware tries to mimic that animation, the graphics subsystem would refuse to draw it. Then users could be trained to only enter their password when they see that animation.

LikeLiked by 1 person
- 9
  
  hoakley on March 8, 2024 at 3:57 pm
  Reply
  
  Well, it isn’t as easy as that, and if you look at malware, I don’t recall any accurate forgery, but several plausible fake dialogs.
  I’m not sure how you could improve this with an animation, nor how macOS could refuse to display any given animation, any more than it could refuse to display an image, which is a much simpler decision.
  Anyway, the point of this article isn’t to subject these dialogs to a critique, but to point out how to distinguish the real from the fake. If users did that, then no one would ever give their password away to malicious software.
  Howard.
  
  LikeLike
10

chris on March 8, 2024 at 5:44 pm
Reply

I think this article would benefit by including some fakes. I know what they look like, but the folks I’d like to pass this article along to, don’t. And let’s face it, the people that need help with this, really need things as succinct, complete and easy to understand as possible. Great compilation tho!

LikeLiked by 1 person
- 11
  
  hoakley on March 8, 2024 at 8:05 pm
  Reply
  
  It’s funny you should say that, but I wasted an hour or two trying to get an example or two, but even with all security turned of in my VM, macOS wasn’t having anything to do with malware!
  Then I realised that, while that might seem a good idea, it would actually confuse. You don’t learn how to recognise a genuine banknote from studying forgeries, but from learning key features in real banknotes.
  So, that combination put pay those ideas, and I went just with showing examples and their variants, all of them genuine.
  TBH, most of the fakes are only plausible when you don’t know what to look for. Little effort seems to go into making them look closely similar.
  Howard.
  
  LikeLike
12

thymine02rising on March 8, 2024 at 10:28 pm
Reply

Thank you for this! You always know the right thing to say! Now I can stay (sort of) with the topic-and with a keyboard to type on ….. get ready to run or duck! I will try to keep it short. My set up yesterday took 5 hours–why–I was careful to start up mr Mac and immediately document existing info – screen shots of system information etc. I then set firewall settings and opted out of iCloud for the time being. After downloading and installing Sonoma – (from Ventura without doing the smaller updates) There were a couple of things that seemed a bit strange: In keychain access/login/certificates: 3 entries — (1)Basic Attestation User Sub CA1 Intermediate certificate authority expires 2032 “Basic Attestation User Sub CAS1″ certificate is not trusted ” in Red. (2)(3) long strings of alphanumeric – with the same quote as above expires 3/9/24. Scary to me–the color red, and the “not trusted”. (keychain was not something I checked before the upgrade-darn it) Other strangeness: (a) after installing Sonoma (friends wifi – away from home) it showed a hidden network (had not shown in Ventura) and (b) when I started to input my Mac admin user (first unchecking superfluous & checking security settings) an unrecognized icon was on the screen – maybe a neighbors – I had my other devices turned off during the initial set up. I chose my icon then went on with set up. Then finally signed on with Apple ID, set up email, safari, settings, PW, and tooled most of other iCloud settings off. (c) updates for numbers, pages, and keynote came up after – wanting UN PW. I thought that should have happened in the upgrade. Those apps are in my trash for the time being. After seeing online searches for “certificate not trusted” is not a rare thing… I still don’t like it much. Should I do anything about this? And… are there any specific articles here that you would point me to regarding security settings – Firewall Network ? Are the entries in keychain/iCloud that are <unknown> anything to be concerned about. I have had pop ups asking if sharingd and media should be allowed or denied – because of my firewall settings I guess. I’m still a little nervous after the previous mbp with MDM but with your guidance I may stop spinning about and get back to work!

LikeLiked by 1 person
- 13
  
  hoakley on March 9, 2024 at 4:25 pm
  Reply
  
  Those untrusted certificates either rely on an untrusted certificate authority, or have been revoked. If you want, you can delete them, but macOS won’t rely on them anyway: if something did try using them, you’d get a warning or they’d simply be refused.
  Your login keychain is only created when you create a new user, so I suspect those have been migrated or imported from somewhere else.
  Don’t worry about seeing other Wi-Fi networks, just ensure you connect to the right one. These days you can often see networks from neighbours, or facilities like nearby shops and bars. If you don’t connect to them, no harm can come.
  You’ll see lots of ‘unknown’ entries in keychains: most are from local protected items, and nothing to be worried about at all.
  You can’t see avatars from other nearby computers, but macOS does come with its own stock of them, so I suspect it had picked one of those for you.
  The built-in software firewall is good, but only worth using when you’re connected to Wi-Fi that doesn’t its own built-in firewall. That applies to many public Wi-Fi services, but most private system have their own (worth checking), and you can then disable that on your Mac.
  Apple’s ‘iWork’ apps like Pages aren’t part of macOS, and are installed separately from the App Store, which also updates them when you’re logged in with your Apple ID.
  I hope that addresses your questions. Enjoy your new Mac!
  Howard.
  
  LikeLiked by 1 person
14

Alexander W. Wesley on March 9, 2024 at 11:17 am
Reply

Thanks for the knowledge provided here I will always be on the watch for it. It is clear and useful.

LikeLiked by 1 person
- 15
  
  hoakley on March 9, 2024 at 4:25 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
16

thymine02rising on March 9, 2024 at 5:52 pm
Reply

Hi Howard, Thank you! Those 3 entries are the only ones under login. I thought they had to do with my original set up and sign in without associated with Apple ID. Thanks for the reassurance on certificates, “unknown”, and firewall. Oh – avatars – I had a suspicion I was using incorrect name. I was thinking, after my recent experience setting up iPhone … that wouldn’t continue set up/update until I put it down next to my old Mac book! That Beacons might have been involved somehow – and that new mbp was associating itself with anything near by during set up. Thanks again! It is very nice this device!

LikeLiked by 1 person
- 17
  
  hoakley on March 9, 2024 at 9:10 pm
  Reply
  
  No problems. Enjoy!
  Howard.
  
  LikeLike
  - 18
    
    thymine02rising on March 16, 2024 at 11:57 pm
    Reply
    
    Hi Howard, 2 follow ups re: install of sonoma on m1 refurb(new to me). My friends network did have hidden network associated – I was on without knowing-it did not show on the mbp ventura with first log on. After sonoma the hidden network showed up with a warning about hidden networks (above the line that delineates current connected network/along with the one I knew I was connected to. Should I be concerned?
    2. Garage band!! I did the install the day the security patch came out for garage band.
    With what I thought was a clean install, storage shoed 2+ gb music library (!violin was the avatar that showed up- reference previous conversation). Install log showed last year for install date. (10.4.6)
    Later that night I read about the security patch (1st ever stand alone app update). My thinking was I should do the update before uninstalling, – patch before leaving remnants ..of a hole ( mentioned in article).
    Did that – deleted library (from storage area). Then deleted app from launchpad.
    THEN, oh geez, I looked at system information install log. Phhhh 10.4.10 darn. 10.4.11 the current update had not been installed.
    So I question if an unpatched vulnerability could still be lurking.
    Oh, and like always with me, there is more! Even though my goal is to stay with native apple apps, I do want to use your silent night and any others that you recommend for me. I attempted it and nothing happens. administrator fire wall off. I tried about six times but didn’t get anywhere.
    
    I did download it previously into the Mac that I returned, if there’s some kind of limit.
    
    PS I had no idea Hemet could be so beautiful!
    
    LikeLiked by 1 person
    - 19
      
      hoakley on March 17, 2024 at 9:11 am
      
      1. Simply configure the Wi-Fi settings to ensure that your Mac connects to the network that you wish it to. That’s all you need to do.
      2. If you currently have 10.4.10 installed, then the App Store app should offer you the update. If it doesn’t, then delete the app from the Applications folder, open the App Store app, find GarageBand in your purchase history there, and you should be able to install it again. This time you should get the current version. There’s no limit.
      3. If you can explain what didn’t work with SilentKnight, I’ll try to help. It should be simple: download the current version 2 from its Product Page, unarchive it, move the app into Applications, and run it.
      Howard.
      
      LikeLike
    - 20
      
      thymine02rising on March 17, 2024 at 6:24 pm
      
      Thanks for your reply Howard, my concern about the Wi-Fi had to do only with my initial set up. I did choose however Sonoma detected “ hidden” Ventura at the start of OS download of Sonoma did not. I must’ve been on the hidden network when it was doing the OS Sonoma download – most likely I had been associated with hidden network unknowingly years ago on one of my old devices. I did not choose it. My question- should I have any security concerns – going forward – should I reinstall to prevent potential problems ( I trust my friend – she said it was an additional router in the attic) I was connected to 2 (both hers) at the same time-
      
      GarageBand: I already deleted it. I never wanted it. It seemed like it was from a previous owner because it was a year before I bought it. Maybe that had something to do with the fallback operating system as you were describing in recovery? all those files were dated at the exact same same time as OS 13 Ventura install.
      I was concerned that without the patch before deleting garage band the vulnerability they were patching with the last update remains. All the files I could possibly find concerning GarageBand have been thrashed. I would have attempted another go at the update if I’d noticed the most current vital one wasn’t installed –
      
      3. I’ll try again later and document closely- Silent Knight — many attempts clicking download no response / no download Firewall off. Admin. Approved developers checked. I’m missing something!
      Wishing you a wonderful spring… getting closer
      N
      
      LikeLiked by 1 person
    - 21
      
      hoakley on March 17, 2024 at 7:28 pm
      
      I still don’t know what you mean by “hidden network”, I’m afraid. Did you connect your Mac to a different Wi-Fi network then?
      I also don’t know what you mean by GarageBand being there from a previous owner: your Mac was initialised and all its previous data rendered inaccessible. That simply can’t happen. Neither can an app pass through Recovery – the only thing there is a secure disk image containing the Recovery system.
      If GarageBand is listed in your list of purchases in the App Store, then at some time you must have obtained from the App Store, and that moves with you when you change Mac.
      Are you saying that SilentKnight doesn’t open at all? Are you running it from your main Applications folder?
      Howard.
      
      LikeLike
    - 22
      
      thymine02rising on March 17, 2024 at 8:00 pm
      
      Yes, I connected to one with a name I recognize after first turning on new Mac. Ran through set up. Download OS Sonoma, after the install it showed “hidden network”above the line with the known network.
      It turns out it is my friend’s additional attic router – It didn’t show when I first chose a network. It did after the install of Sonoma.
      
      I did the install 3/7/24. A lot of items in the install log are from 3/10 —2023. Over 2 gb of garage band files. I have never had or installed on purpose garage band. Never had any of the music library or loops.
      I didn’t do an install on 3/10/23 to my devices.
      
      I get no response when I click your download link. I
      
      LikeLiked by 1 person
    - 23
      
      hoakley on March 17, 2024 at 9:18 pm
      
      I’m not sure which log you’re looking at, but I suspect those dates aren’t the date of installation, but the creation date on those items.
      Howard.
      
      LikeLike
    - 24
      
      thymine02rising on March 17, 2024 at 8:36 pm
      
      Was able to download silent knight. safari /settings/ websites/ eclectic = deny, which I found while logged onto your site. I clear history so did not see it previously when I wasn’t actively on the site. Sorry about that!
      
      The other two topics concern me as opening to the activation page I assumed all was clean and ready to start fresh. Then of course my “clean install” was THE day of the crititcal patch of garage band. I was in no way expecting to see any of the add on files – numbers, pages, iMovie, GarageBand. I didn’t do migration, and have very little in iCloud. Very confusing indeed! And to walk back my never… who knows from 2008… forward, but I think I would have noticed over 2 gb of “music creation” in my storage.
      
      All a moot point if your utilities will give me peace of mind. I am after clean and simple.
      
      When do you sleep?
      
      LikeLiked by 1 person
    - 25
      
      hoakley on March 17, 2024 at 9:15 pm
      
      Well done. I’m delighted you’re getting things sorted.
      “When do you sleep?” when I’m in bed 🙂 It’s not when, but how long for!
      Howard.
      
      LikeLike
26

Dan on March 20, 2024 at 2:48 pm
Reply

de we have an mobileconfig to be able to enter username and password at every password dialog? id like to be able to do that.

Thanks Howard!

LikeLiked by 1 person
- 27
  
  hoakley on March 20, 2024 at 8:11 pm
  Reply
  
  I very much doubt whether you can create a mobileconfig to do that, because of the nature of the dialogs.
  Howard.
  
  LikeLike