keychain
Latest
Apple adds ProRes and ProRAW support to the the Windows iCloud app
You'll be able to generate strong passwords and store them in iCloud Keychain too.
8BitDo's tiny keychain Switch controller is now available
It feels like 8BitDo can barely let a month slip by without offering a new Nintendo Switch controller. This time around, it's putting its keychain-sized Zero 2 up for pre-order.
Researcher finds macOS bug but won’t share details with Apple
A researcher has discovered an exploit that can expose passwords on macOS, but says he won't share details of the bug with Apple because of its bug bounty policies. Linus Henze posted a demo video of the KeySteal exploit this week. It seems to grab passwords from login and system keychains without requiring administrator privileges, with a simple click of a button. It works on the latest version of macOS Mojave, though it doesn't seem to affect items stored in iCloud's keychain.
Mac keychain flaw can send your passwords to hackers via text
Two developers have discovered a Mac Keychain vulnerability that hackers can easily exploit to steal passwords, certificates, et cetera with very little user interaction needed. Antoine Vincent Jebara and Raja Rahbani stumbled upon the flaw while working on the Keychain for their identity management software Myki. They found out that attackers can craft commands that can make Mac's password management system prompt users to click an "Allow button" instead of asking them to type in their passwords. Once a user clicks that button, the malicious code can forward Keychain's contents via text, though the info could also be saved somewhere for download later on.
How to easily add secure FileVault passcode to your Keychain
Since I have a terrible habit of losing things, I decided to encrypt my Verbatim "Tuff-N-Tiny" USB drive. This was a simple matter of control-clicking the drive name in Finder, choosing "Encrypt" and then setting an encryption password. I also decided to use 1Password to generate a nice, secure, long, random password: I copied that password from 1Password and pasted it into the password field in Finder, and made a note in the "hint" field that it is stored in 1Password: I clicked "Encrypt Disk" and Boom! done. I considered myself quite clever for being such a good practitioner of security practices... ...until I plugged the USB drive into another computer. As expected, the password prompt appeared. I switched over to 1Password, copied the password to the clipboard, and tried to paste it in to the prompt. OS X would not allow me to paste into the password field. I thought I would solve the problem by using Keyboard Maestro and have it simulate typing into the Secure Input password field, which is how I usually get around the "Can't Paste Here" problem. For some reason, it did not work, despite repeated attempts. Suddenly I felt extremely stupid for making such a long, random, hard-to-type password. I was definitely not looking forward to re-typing it on each Mac that I might want to use with the drive. A less... peculiar ... person would have just changed the password to something simpler. But I wanted to know if there was a way to use the secure, long, random password without having to type it all in manually. The drive can be mounted easily (and without requiring me to enter the password) on the Mac where it was first configured because the information is immediately stored in the Keychain. That gave me the hint I needed to figure out how to configure it on my other Macs. I went to the Keychain Access.app in /Applications/Utilities/ and searched for "Transport" (the name I had given the USB drive) and found this: Aha! Now that I knew the correct information to put in the Keychain, I went to my second Mac (but did not put the USB drive in yet), launched Keychain Access.app and chose File » New Password Item... from the menu. Put the name of the drive into the first two fields, and then put the password into the password field. Click Add. Then find the new entry in Keychain Access, and double-click on it. Change the "Kind" to "encrypted volume password" and copy the drive UUID to the "Where" field. Click Save Changes and quit Keychain Access.app. Pro Tip: If you forgot to copy the volume UUID from the first computer, you can get it from the System Information.app under Hardware » USB and then select the drive. You will see the UUID in the information window. Now you can plug in the USB drive, and when you do, you will see this prompt to allow access to the entry you created in keychain: Be sure to click "Always Allow" unless you want to be prompted every time. Whew! It might seem like a lot of steps, but it's pretty easy, and much easier than trying to type 8vphs/tEUX7FH'w9Td>tO]Qoq7ob6]W0+!BN_9J2o.Uh}jGz98 without making a mistake. Update 2014-10-07: I discovered two additional tidbits today which might come in handy for anyone else who comes across this page later on: If you are using this on OS X 10.7 (Lion), then you need to use "Encrypted Volume Password" instead of "encrypted volume password" The reason that my Keyboard Maestro "insert plain text by typing" macro did not work was because I use Option/Alt+V and if you keep the Option/Alt key held down, it changes the characters which are typed. When doing this via ScreenSharing (which is how I was doing it), it seems impossible to release the Option/Alt key fast enough to avoid corrupting the typed password. However, this can be easily worked-around within Keyboard Maestro itself: I simply added an option to my Keyboard Maestro macro to insert as plain text by typing when I select a Status Bar (aka menu bar) item, and when I use that instead of Option+V it works! Which, of course, means that you do not need to go through the much more complicated process of manually adding this to the Keychain Access.app. Live and learn.
Guilty Gear Xrd -SIGN-'s Limited Edition detailed
North American Guilty Gear fans can spend anywhere from $50 to $80 on the incoming Guilty Gear Xrd -SIGN- (pronunciation help here), depending on how many real-world trinkets they'd like and the console they intend to drain life meters on. As preorder pages from Amazon dictate, a Standard Edition copy of Xrd -SIGN- on PS3 will go for $50, with its PS4 counterpart running for $60. Xrd -SIGN-'s North American-exclusive Limited Edition will follow the same pattern, with the PS3 version costing $70 and the PS4 build pulling off an $80 combo on wallets. As for what makes the Limited Edition so special, a press release from publisher Aksys notes the bonuses of an outer box styled after the series' Backyard, complete with "gears and high-quality binding," a soundtrack arranged by series creator Daisuke Ishiwatari, and a roster-encompassing art book that also includes work for Gear XX Accent Core Plus and Guilty Gear 2 Overture. A keychain replica of Sol's belt buckle with the word "Free" carved in rounds out the offering. Though preorders are live, the press release only offers up a holiday season launch window, so we'll have to wait a little longer to learn when exactly it'll be time to rock. Regardless of which version you purchase however, Xrd -SIGN-'s crossplay compatibility means PS3 and PS4 owners will eventually all be fighting in the same community. [Image: Aksys Games]
Google finally tightens access to saved passwords in Chrome
Having come under fire over its relaxed attitude towards saved passwords in Chrome earlier in the year, Google is finally looking to do something about it. In a post to his Google+ page, Chrome tinkerer François Beaufort notes that the company will now ask users to authenticate themselves using a system password before they can access saved credentials inside Chrome. Previously, users could access the list of saved passwords by pointing the browser at "chrome://settings/passwords," offering easy access should their computer be left unattended. As it stands, the feature appears limited to the latest Chromium build for Mac, mimicking the behavior of Apple's own web browser: Safari. While there's no word on whether Google intends to implement the feature inside Chrome for Windows, its inclusion on the Mac suggests it could be present inside a public release in the near future. [Image Credit: Francois Beaufort, Google+]
Apple unveils Keychain for iCloud, confirms 300 million iCloud accounts
Apple today at WWDC announced some changes to iCloud, including a new iWork for iCloud and a keychain feature that'll sync your logins across all your iOS devices. The keychain is a cloud-connected password manager that ties into Safari on the desktop and Safari on the iPad and iPhone. It'll save passwords as well as credit card information and more. Tim Cook also confirmed that iCloud now has 300 million accounts, making it the fastest-growing cloud service ever (even faster than Facebook). More than 300 million iOS owners use iTunes in the cloud and these folks have downloaded their content 35 billion times. Cook also confirmed that 240 million users are on Game Center and blew us away with stats on iMessages that confirm the service has transferred 800 billion iMessages and sent 740 trillion push notifications.
OS X Mountain Lion Supplemental Update 2.0 fixes keychain errors
Everybody's favorite cat, OS X Mountain Lion, has a new update this morning. But don't be surprised if you don't see it under the Updates tab in the Mac App Store -- OS X Mountain Lion 10.8.2 Supplemental Update 2.0 is "recommended for all Mac systems introduced in 2012." According to the update notes, the update "addresses an issue with Keychain that can affect 2012 Mac systems." The update file is relatively small, only about 26.65 MB in size.
Phone Halo shows off the Cobra Tag and more at WWDC 2012
We talked about Phone Halo a couple of years ago, when the accessory company was making its own product: A little tracking tag that connected up to your keys or anything else you wanted to hang on to and used a free iPhone app to alert you whenever you needed to find them or whenever they wandered out of range. Since we last talked to them, Phone Halo was able to cut a deal with popular accessory manufacturer Cobra (best known for making speedtrap detectors) and has released the Cobra Tag, a branded and updated version of Phone Halo's original device. The company showed the model off to us at WWDC, and it was suitably impressive: The tag is small, well-designed and works over Bluetooth, with any combination of alerts available. You can search for the tag from the phone or vice versa, and you can have alerts set up for "disconnects" (when the tag leaves the iPhone's Bluetooth range). The app, available for free from the App Store, even tracks the GPS location of the disconnect when you flip it into recovery mode. So while you can't track your keys directly, you can at least see where it was you lost them. There's a lot of impressive things being done here: The tag has an LED light built in, so you have audio and visual feedback when you need to track it. And you can completely customize the iPhone's alerts, even down to choosing a song to play when a disconnect happens. The app runs in the background all of time, and it will even override your mute settings so you'll never miss an alert. Facebook and Twitter are integrated as well, If you consistently need to track keys or anything else around your iPhone, the Cobra Tag is a great solution. There is one major issue with the product, and that is battery life. The tag lasts for quite a while, but the biggest drain is on the phone, which needs to keep up a Bluetooth connection constantly, as well as GPS tracking. As you might imagine, that's a solid drain on the hardware. Now, if you really need to track your keys, that might not be a problem. If you usually keep your iPhone plugged in all day, like at the office or while sleeping at home, you probably won't have a big issue keeping your battery going. And if you absolutely need to track something, the extra battery use will probably be worth it. So while battery life can be a concern, it shouldn't rule out everyone on a product like this. The Cobra Tag is available now for about $60 at retail. Phone Halo also showed us something else they're working on: An app that will be able to track any Bluetooth device, not just the Cobra Tag. Using a generic Bluetooth headset or any Bluetooth device, the new app will be able to do all of the same things that the Cobra tag can do. It's very impressive. Phone Halo is still working on that app. It's hoping to team up with a sponsor of Bluetooth products or someone else to be able to provide the functionality to users for free, and still be able to make money off of the product. But however this tech reaches consumers like us, it certainly seems like Phone Halo is working hard on making it as cheap and easy as possible to track external devices from your iPhone.
Passware claims FileVault 2 can be cracked in under an hour, sells you the software to prove it
Lunch hours may never feel safe again. That is, if you have a Mac running Lion / FileVault 2, like leaving your computer around, or have unscrupulous colleagues. Data recovery firm Passware claims its "Forensic" edition software can decrypt files protected by FileVault 2 in just 40 minutes -- whether it's "letmein" or "H4x0rl8t0rK1tt3h" you chose to stand in its way. Using live-memory analysis over firewire, the encryption key can be accessed from FileVault's partition, gifting the pilferer privy access to keychain files and login data -- and therefore pretty much everything else. If you want to try this out for yourself, conveniently, Passware will sell you the software ($995 for a single user license) without so much as a flash of a badge.
Hidden secret apps of CoreServices
Nestled within the bosom of your Mac's system folder lie many powerful and curious applications. Not intended for direct access, the denizens of the CoreServices directory work as clients for other OS apps such as System Preferences or Safari. There are several CoreServices apps we use often at TUAW. Here are some of our favorites. When Safari cannot connect to the Internet, you may be prompted to run Network Diagnostics.app to find the problem. The app lets you choose a network port you wish to work with (Ethernet, Wi-Fi, or an external modem), and test it. It is one of many apps found inside your /System/Library/CoreServices folder. It's also one that you may want to stick into your dock for a bit when you're messing around with a new router or have upgraded your cable modem. Screen Sharing.app gives you remote access to any enabled computer on your local network using the VNC protocol. Some of us prefer using Chicken of the VNC, but Screen Sharing.app is a simple alternative already built into your system. You enable this feature in System Preferences > Sharing > Screen Sharing (hint, click Computer Settings and add a password). When launched, just enter the host name or address of a sharable computer (e.g. Banana.local or 192.168.0.15) and start controlling that system remotely. Use the Wi-Fi Diagnostics.app to capture network events and enable debugging logs. It provides a way to collect traffic for analysis. Anyone who regularly works with Apple development may be pleased to realize they can access the Certificate Assistant.app directly instead of always having to launch the Keychain utility. The assistant allows you to create certificate signing requests, which are used in the dev process to request authenticated items like certificates for development provisions. The VoiceOver.app utility enables spoken descriptions of your OS X screen. It provides an audio interface for your computer. Once enabled, you can quickly switch out of VoiceOver mode with Command-F5. (You can turn on VoiceOver via System Preferences/Accessibility, as well. You're probably used to using the Archive Utility.app through the Finder's contextual pop-up, but if you drag it into your dock, you can use it as a drag and drop compression utility. Very handy! Got other favorite secret apps? Tell us about them in the comments!
BiKN for the iPhone hands-on (video)
We don't know about you, but we're pretty prone to losing stuff -- everything from our precious phones, to our keys to, occasionally, our fellow bloggers. BiKN is a hardware and software-based solution that allows you to track you loved ones and things using simple 802.15.4 radio tech instead of battery-sucking GPS. The two hardware components that will be shipping later this month are an iPhone case, which connects through the 30-pin connector and tags which you can attach to keys, bags, or the belts of wandering children. You can leash items to you using the free app so that an alarm will sound -- on both ends if the person or item wanders out of a particular range. You can also simply ping them if you've misplaced them. It even simply measures how far away another phone or tag is. And, since it's a two way system with a battery integrated in the case, if you lose your iPhone and the battery is dead you can still find it using one of the tags. A package containing the case and one tag will be available for $100, while a kit with two tags will retail for $120. Additional tags can be purchased in packs of two for $50. Check out the gallery below and the video after the break. Mat Smith contributed to this report.
Mac 101: Using Keychain Access to remember the password you forgot
One of the unsung joys of being a Mac consultant is getting emails from clients with problems that aren't critical enough warrant a billable office visit but still need attention. This morning, I heard from client who needed to add two Macs onto the office AirPort network but couldn't remember the password. Here's how she (and you) can retrieve that password. Most of the time when Mac users are asked to create a password on the Mac, there's a small check box just below asking if you want to "store the password on the keychain." If you're like many Mac users, you're not really sure what that means but you check the box anyway. What it does mean is that the password is then stored in the Mac's keychain, which is Apple's password management system that has been around since the days of Mac OS 8.6. Fortunately, Apple provides an application that you can use to find out what password you used three years ago and have since forgotten. It's called Keychain Access, and it is tucked away in the Utilities folder that resides in your Applications folder. Hint -- if you're not familiar with the Utilities folder, there's a quick way to get to it from the Finder menu bar. Just select Go > Utilities to open a Finder window filled with all sorts of fun apps, from the handy (and dangerous) Disk Utility to the under-appreciated X11. I told my client to launch Keychain Access and then click on the "login keychain" in the list of keychains on the left side of the app window. A list of passwords appears, one of which has a "kind" of "AirPort network password." Double-clicking that entry brings up a dialog similar to the one shown below: See where it says "show password"? A click on the checkbox next to that brings up a dialog that asks for the keychain password, which is generally the administrator password on your Mac. Enter that password and click OK, and you may be asked to enter the password once again. Once that's done, the password should auto-magically appear in the field next to "show password." This trick has worked many times for me when my clients have forgotten a password or misplaced the Post-It Note that they wrote it on. Hopefully it will help out some TUAW readers as well.
Morpho's NFC / WiFi-enabled keyfob brings wireless payments, card management to the everyman (video)
Not interested in picking up an NFC-enabled smartphone? No matter -- Morpho's got you covered. The outfit was demonstrating a newly finished Simlink NFC keyfob here at Mobile World Congress, intended to provide contactless payment capability for those who lack it in their existing mobile. Rather than stopping at just payments, this dongle also supports frequent flier cards, membership accounts and pretty much any other members-only situation that may ever use NFC check-ins and registration. There's even a WiFi module here and an onboard web server, enabling any WiFi-enabled phone to immediately see your most recent transactions as well as what data / cards you have stored on the device. We're told that the onboard battery can last around a week if you don't use it continuously, and a simple micro-USB connector is responsible for charging. The only unfortunate part is the size -- it's hardly inconspicuous, but we're guessing revision two will lose quite a bit of weight. This particular model should go on sale by the end of Q4, with pricing to be determined. Head on past the break for a brief demonstration, you big spender, you. %Gallery-116875%
Keyport Slide can now store your files, open your beers
Sometimes it's hard getting drunk and downloading files when you have a pocket full of keys. The Keyport Slide is finally ready to manage those inebriated backups, with the USB key version we've been waiting for now up for order, letting you streamline your keychain and your thumb drive too. There's also a new slide-out bottle opener available. A 4GB key insert will cost you $18.99, $28.99 if you want 8GB, and a Keyport with five blades and USB starts at $89. Cheap? No, but just how much longer were you going to tote around that cacophonous mass of metal in your pocket?
iPhone passcode bypassed by security researchers
A group of German researchers at the Fraunhofer Institute for Secure Information Technology report that they've cracked the iPhone's keychain system, allowing access to the passwords saved on any phone in just six minutes. By jailbreaking the target phone and installing an SSH app on it, the hackers found they could access any information on the phone that they wanted, without the need to input a passcode or any other form of security from the user. In other words, if they can get their hands on your iPhone, they have access to everything on the keychain, which includes any Gmail or Exchange accounts saved on the phone, as well as network, Wi-Fi and voicemail passwords, as well as the passwords on some apps. You can read the full report as a PDF online. The only solution that Frauhofer lists in the report is that any lost or stolen iPhone must require its owners to assume that all passwords included on the handset are compromised, and must all be changed and replaced as soon as possible. It's hard to think what Apple might be able to do about this -- as long as the phone can be jailbroken, this seems possible, and obviously Apple hasn't been able to stop jailbreaks in the past, for a number of reasons. On the other hand, this hack needs access to the phone itself, so if you don't lose your phone, you're still good to go.
Researchers steal iPhone passwords in six minutes (video)
Losing your smarpthone is bad enough. But if you lose your iPhone and don't issue a remote wipe command (available for free with the Find My iPhone app) then you could find yourself in a world of hurt. Researchers at the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) can jailbreak and decrypt passwords from the iPhone's keychain -- for say, your Gmail account, corporate VPN, home WiFi, and MS Exchange -- in about six minutes using existing, known exploits. Sorry kids, your flimsy lockscreen passcode won't help. Video proof, after the break.
Mac 101: Securing your passwords after the Gawker breach
Thanks to questionable security practices at Gawker Media (publishing parent of many high-profile websites including Gizmodo and Lifehacker), a number of people are busy scrambling to change their passwords on a lot of different sites today. Gawker stored encrypted passwords on its servers instead of password hashes (and stored those passwords using the deprecated DES standard), so as a result of some weekend hacking, a lot of email addresses and passwords were stolen. Gawker Media is asking anyone who uses its comment system to change their password immediately, and if they used the same email address and password on other websites, they should change those passwords as well. If you have used any of the Gawker sites in the past, you can use Slate's Gawker Hack widget to determine if your email address and password was part of the group that was compromised. Some other sites like LinkedIn are proactively disabling the accounts of users who were included in the data dump, requiring them to reset their passwords before they can get back in. Common sense dictates that for the best security, every website account should have a separate password; you should never use a dictionary word, birthday or family name as your password; strong passwords always need a mix of capitals and lowercase letters, numbers and (if acceptable to the service you're logging into) punctuation/non-alphanumerics. (The number of people who used 'password' or '123456' as their comment login in the Gawker system is truly shocking.) However, our puny human brains don't work well with strong passwords; we just can't remember a lot of passwords that are random gibberish, and even using mnemonics and other tricks for password generation can fill up the ol' brain pretty quickly. There are some ways to generate strong passwords that are associated with just one website -- and keep them recorded securely on your Mac or in the cloud -- so click that Read More link to see how.
Keyport Slide adds new feather to its cap with USB key prototype
If you looked at the blade-based key organizer known as the Keyport Slide and thought "this thing could really do with an integrated USB flash drive," you were not alone. The company's currently teasing a few images of a new 4GB accessory, which uses the same attachment as its key blades to slot in and out of that metallic shell. Even more tantalizing, this is said to be only one of a number of new accessories in development for the pricey but versatile door opener. Are these guys trying to subtly start a war with Switzerland or what? [Thanks, Declan]
