Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Apimac Secret Folder, forgot password, help me please :-(

306 views
Skip to first unread message

John

unread,
Jun 12, 2011, 6:05:19 PM6/12/11
to
Is there a file somewhere that controls the password?

John

Jaimie Vandenbergh

unread,
Jun 12, 2011, 7:03:55 PM6/12/11
to
On Sun, 12 Jun 2011 23:05:19 +0100, John <cof...@the.cafe.com> wrote:

>Is there a file somewhere that controls the password?

Have a look in the keychain, see if Apimac saves it there - use
Keychain Access.app in /Applications/Utilities and look in the Login
keychain, category Passwords. If there are any relevant looking ones,
double-click them and tick the "show password" box.

Cheers - Jaimie
--
"People don't buy Microsoft for quality, they buy it for compatibility
with what Bob in accounting bought last year. Trace it back - they buy
Microsoft because the IBM Selectric didn't suck much" - P Seebach, afc

John

unread,
Jun 12, 2011, 7:10:56 PM6/12/11
to
On 2011-06-13 00:03:55 +0100, Jaimie Vandenbergh said:

> On Sun, 12 Jun 2011 23:05:19 +0100, John <cof...@the.cafe.com> wrote:
>
>> Is there a file somewhere that controls the password?
>
> Have a look in the keychain, see if Apimac saves it there - use
> Keychain Access.app in /Applications/Utilities and look in the Login
> keychain, category Passwords. If there are any relevant looking ones,
> double-click them and tick the "show password" box.
>
> Cheers - Jaimie

I got the brain into gear and remembered the pass. I looked in
keychain, found nothing.

Thanks
John

Simon Dobbs

unread,
Jun 13, 2011, 3:36:22 PM6/13/11
to
On Mon, 13 Jun 2011 00:10:56 +0100, John wrote
(in article <2011061300105613597-coffee@thecafecom>):

I think it just makes folders invisible to the finder by putting a full stop
at the beginning of the name- you could probably get round this by finding
invisible folders using file buddy, and changing the name to lose the period?

J. J. Lodder

unread,
Jun 13, 2011, 3:40:28 PM6/13/11
to
John <cof...@the.cafe.com> wrote:

It wouldn't be much of a secret,
if anyone could find it there,

Jan

Charles Lennard

unread,
Jun 13, 2011, 4:04:59 PM6/13/11
to
In article <1k2t30z.ua...@de-ster.xs4all.nl>,

The keychain is protected by your account password or any other
(stronger?) you care to set. As long as you don't share that, single,
password all your other key chain items will be secure. You can add your
own keychain items for passwords that cannot be saved automatically.

Tony

J. J. Lodder

unread,
Jun 16, 2011, 4:37:08 PM6/16/11
to
Charles Lennard <c.le...@notthis.bcs.org> wrote:

So open to anyone with physical access to your machine,

Jan

Jim

unread,
Jun 16, 2011, 4:40:27 PM6/16/11
to
J. J. Lodder <nos...@de-ster.demon.nl> wrote:

> > The keychain is protected by your account password or any other
> > (stronger?) you care to set. As long as you don't share that, single,
> > password all your other key chain items will be secure. You can add your
> > own keychain items for passwords that cannot be saved automatically.
>
> So open to anyone with physical access to your machine,

Only if they know your password.

Besides, if someone you don't trust has physical access to your machine
then you have bigger problems.

Jim
--
'65 Black Stingray - for barter only. Call 555-8972


Facetime ID:j...@magrathea.plus.com

John

unread,
Jun 16, 2011, 5:07:10 PM6/16/11
to
On 2011-06-16 21:40:27 +0100, Jim said:

> J. J. Lodder <nos...@de-ster.demon.nl> wrote:
>
>>> The keychain is protected by your account password or any other
>>> (stronger?) you care to set. As long as you don't share that, single,
>>> password all your other key chain items will be secure. You can add your
>>> own keychain items for passwords that cannot be saved automatically.
>>
>> So open to anyone with physical access to your machine,
>
> Only if they know your password.
>
> Besides, if someone you don't trust has physical access to your machine
> then you have bigger problems.
>
> Jim

The wife, for instance.

I didn't mean it, I was only joking, sorry.

John

J. J. Lodder

unread,
Jun 17, 2011, 9:04:27 AM6/17/11
to
John <cof...@the.cafe.com> wrote:

If that's the problem better make it invisible too,

Jan

J. J. Lodder

unread,
Jun 17, 2011, 9:04:27 AM6/17/11
to
Jim <j...@magrathea.plus.com> wrote:

> J. J. Lodder <nos...@de-ster.demon.nl> wrote:
>
> > > The keychain is protected by your account password or any other
> > > (stronger?) you care to set. As long as you don't share that, single,
> > > password all your other key chain items will be secure. You can add your
> > > own keychain items for passwords that cannot be saved automatically.
> >
> > So open to anyone with physical access to your machine,
>
> Only if they know your password.

Which you can reset with a system disk.

> Besides, if someone you don't trust has physical access to your machine
> then you have bigger problems.

The idea of special purpose passworded things
is to have some protection even when someone else has your machine,

Jan

Chris Ridd

unread,
Jun 17, 2011, 9:09:25 AM6/17/11
to
On 2011-06-17 14:04:27 +0100, J. J. Lodder said:

> Jim <j...@magrathea.plus.com> wrote:
>
>> J. J. Lodder <nos...@de-ster.demon.nl> wrote:
>>
>>>> The keychain is protected by your account password or any other
>>>> (stronger?) you care to set. As long as you don't share that, single,
>>>> password all your other key chain items will be secure. You can add your
>>>> own keychain items for passwords that cannot be saved automatically.
>>>
>>> So open to anyone with physical access to your machine,
>>
>> Only if they know your password.
>
> Which you can reset with a system disk.

Unless that decrypts and re-encrypts your login keychain, you're still safe.
--
Chris

Richard Kettlewell

unread,
Jun 17, 2011, 9:41:35 AM6/17/11
to

The attacker replaces the keychain software with their own 'special'
version which tells them everything it knows.

--
http://www.greenend.org.uk/rjk/

Chris Ridd

unread,
Jun 17, 2011, 10:13:24 AM6/17/11
to

Which is only the encrypted password for the
whatever-it-was-we're-talking-about.
--
Chris

David Empson

unread,
Jun 17, 2011, 8:09:27 PM6/17/11
to
J. J. Lodder <nos...@de-ster.demon.nl> wrote:

> Jim <j...@magrathea.plus.com> wrote:
>
> > J. J. Lodder <nos...@de-ster.demon.nl> wrote:
> >
> > > > The keychain is protected by your account password or any other
> > > > (stronger?) you care to set. As long as you don't share that, single,
> > > > password all your other key chain items will be secure. You can add your
> > > > own keychain items for passwords that cannot be saved automatically.
> > >
> > > So open to anyone with physical access to your machine,
> >
> > Only if they know your password.
>
> Which you can reset with a system disk.

Only the account password, not the keychain password. Your keychain is
safe from anything short of brute force password cracking (assuming no
vulnerabilities in its encryption).

Passwords and other secure items in the keychain are encrypted using
your keychain password. If you lose the keychain password, you can't get
the secure items out of the keychain again short of brute force guessing
of the keychain password.

The normal arrangement is for Mac OS X to have the same account password
and keychain password. In this case, if you change your account password
using the "normal" method (from System Preferences while logged in as
that user), the keychain password is also updated to the new account
password.

If you use any "reset password" mechanism (either System Preferences
while logged in as a different admin user, or the mechanism available
from the Mac OS X install DVD), the account password is reset, but the
keychain keeps using the old password.

You can also deliberately set your keychain to use a different password
from your user account, in which case changing your own account password
via System Preferences will not touch the keychain password (unless you
set the same password for both, then change it again using System
Preferences).

--
David Empson
dem...@actrix.gen.nz

J. J. Lodder

unread,
Jun 18, 2011, 3:32:43 AM6/18/11
to
David Empson <dem...@actrix.gen.nz> wrote:

Most users don't even know that there is such a thing
as a keychain password, let alone that it can be set.

Or even that there is such a thing as the keychain,

Jan

Jim

unread,
Jun 18, 2011, 3:37:00 AM6/18/11
to

Which doesn't invalidate the fact that there is.

Jim
--
Amelia Pond: You're soaking wet.
The Doctor: I was in the swimming pool.
Amelia Pond: You said you were in the library.
The Doctor: So's the swimming pool.

Richard Kettlewell

unread,
Jun 18, 2011, 5:11:56 AM6/18/11
to

My point is that once an attacker has had the ability to modify the
system, they can subsequently retrieve any credential that you use.

--
http://www.greenend.org.uk/rjk/

Message has been deleted

Richard Kettlewell

unread,
Jun 18, 2011, 9:07:53 AM6/18/11
to
real-addr...@flur.bltigibbet.invalid (Rowland McDonnell) writes:
> Not if the credential concerned is (e.g.) a password stored as a secure
> hash.
>
> <http://codahale.com/how-to-safely-store-a-password/>

That page is not talking about the same issue.

That page is discussing how a service (a login, say, or a website)
stores a user's password in such a way that (i) it cannot leak the
plaintext of the password but (ii) it can nevertheless verify that a
supplied password plaintext is the right one.

The problem this mitigates is unauthorized read-only access to the
service's password database. But that's not what I'm talking about: I'm
talking about the case when someone who has sufficient access to the
machine to modify the software running on it (for instance, because they
have physical access to it for a while).

The user, or a keychain application acting on their behalf, must
nevertheless access the password plaintext in order to access the
service, and that is the point at which someone who has previously taken
control of the machine will capture it.

For instance, you type a password when you login to most modern
computers. No matter how secure the long-term storage of the password
on the computer, if the attacker has taken control of the login process,
they will know your password *because you just typed it in*.

--
http://www.greenend.org.uk/rjk/

Message has been deleted

Richard Kettlewell

unread,
Jun 18, 2011, 12:31:19 PM6/18/11
to

> Ah - you're talking about the attacker installing software, then going
> away and leaving you to use the machine so they can capture passwords?
>
> Didn't know you were thinking of that.

Yes. I don't think I was being especially unclear.

--
http://www.greenend.org.uk/rjk/

Peter Creosote

unread,
Jun 18, 2011, 2:05:40 PM6/18/11
to
On Sat, 18 Jun 2011 17:31:19 +0100, Richard Kettlewell babbled:

Your explanation was very clear. Excuse Rowland, he has a lot on his mind
these days, having to move out by September and the divorce. He hasn't had
time to keep up.

--
"Well, yeah, like meeting half a dozen consultant shrinks and finding out
that they're all a bunch of incompetent bullying lying ignorant abusive
bastards."
Rowland McDonnell foaming at the mouth - Nov 28, 2007

Message has been deleted

Pd

unread,
Jul 1, 2011, 4:56:00 AM7/1/11
to
David Empson <dem...@actrix.gen.nz> wrote:

> If you use any "reset password" mechanism (either System Preferences
> while logged in as a different admin user, or the mechanism available
> from the Mac OS X install DVD), the account password is reset, but the
> keychain keeps using the old password.

We keep getting stung by this, although not badly yet. My son changes
his password, forgets what he's changed it to, and I have to go in as an
admin and change it. Which gets him into his user account, but doesn't
get him his keychain. Hopefully he'll learn that lesson before his
keychain contains more important stuff than game logins.

--
Pd

0 new messages