Welcome to the MacNN Forums.

vwgtiturbo · Aug 15, 2008, 11:35 AM

Hello there, I have been using Disk Utility/Knox to create encrypted disk images for some time. Instead of entering the ridiculous password every time I wanted to work on these files, I would check the 'Remember this password' option in the mount dialogue. Then it occurred to me that it may not be very smart to do that. I know that the user's password can be reset with an install disc, as I've had to do it to machines that a friend was buying on eBay. Now, I may be off my rocker, but once the password is reset, the thief would have access to the drive, and simply mounting the encrypted file would auto mount it, correct? Since I had checked 'Remember password', it should just mount up, or am I crazy? Any insight from someone that has more of a clue would be greatly appreciated.

zombie punk · Aug 15, 2008, 11:39 AM

You are correct that by allowing the encrypted volume to be accessed by the remember password option you have vastly reduced the security you had. Someone who knows your login password would have access to the encrypted volume. Reseting the login password would not give you the keychain one though.

Art Vandelay · Aug 15, 2008, 11:47 AM

No, they wouldn't have access to the KeyChain where all the passwords are stored. When you reset a password via the Install disc or another admin account, it doesn't change the KeyChain to match the login password.

vwgtiturbo · Aug 15, 2008, 11:57 AM

So, even though they could browse the hard drive, would they have to enter the old password to access a Keychain item? Or, is there a way to also reset the Keychain password? I'm just trying to keep myself from defeating the purpose of the encrypted disk images, so I appreciate the insight!

vwgtiturbo · Aug 15, 2008, 12:04 PM

This answers my question: http://support.apple.com/kb/HT1631
So, in summary, you will STILL need the OLD password to reset the Keychain password. Sweet... So I can select to remember password with little ill-effect.
Thanks for the help guys!

zombie punk · Aug 15, 2008, 12:06 PM

Art - that was what I was getting at about the reduced security.
If the laptop is swiped while you are logged in, a thief could gain access.

vwgtiturbo · Aug 15, 2008, 12:07 PM

Good point... I do have it set to log me out after 15 minutes, so at least there is a narrow window. I do always lock the screen when I walk away, so it should be ok...

Art Vandelay · Aug 15, 2008, 12:13 PM

You can only change the KeyChain password if you know the original.

You're still better off not storing sensitive passwords in the KeyChain. If you forget to logoff, then they have access to everything in your KeyChain since it's unlocked by default during your session.

ginoledesma · Aug 15, 2008, 11:17 PM

It also helps if your Keychain password is distinct from all your other passwords.

OreoCookie · Aug 16, 2008, 08:39 AM

Originally Posted by Art Vandelay

You're still better off not storing sensitive passwords in the KeyChain. If you forget to logoff, then they have access to everything in your KeyChain since it's unlocked by default during your session.

Not quite true. You can easily create a separate keychain with a separate password that locks automatically. It's mostly out of convenience that most people don't do this.

ghporter · Aug 16, 2008, 09:22 AM

I think most people just don't think about what Keychain is, and what they can do with it. Having the ability to have multiple chains with different settings makes it a very handy thing indeed. But most of us just see it as ONE chain because that's all that happens by default. There's no icon-button that says "New Keychain" so you don't even run across this possibility when you open Keychain Access... But it's there, under "File."