rentzsch.com: tales from the red shed

Password Management

Notes
I used to keep all my account/password information in a BBEdit text file on an encrypted disk image. While this technique worked, it had a number of drawbacks.
  • Speed. Getting a password was a bit of a production. This usally entailed:
    1. wait for Disk Copy to launch
    2. click on the "enter password" window (since it never gets keyboard focus automatically [for security reasons, I'm told]).
    3. enter my password
    4. wait for Disk Copy to finish the mount and quit
    5. open the file in BBEdit

    I know about the 10.2 alias-to-file-on-an-unmounted-disk-image trick. It's a cool trick, but seems to be fatally flawed when dealing with encrypted disk images. Specifically, I'd attempt to open the alias in either the Finder or DragThing. While the image would successfully mount, some code deep in the bowels of the Alias Manager would fail to notice. Instead, it would wait forever, requiring me to force-quit the process.

    This was particularly hard on DragThing, as force quitting it left its preferences file open, and would refuse to subsquently relaunch. Eventually, I'd have to restart the entire computer if I wanted to use DragThing again. James has since fixed this in 4.6.1, but the entire affair is still rather nasty.

  • Insecurity. Once opened, all my passwords would appear on-screen in plaintext, ripe for shoulder-surfing. Now, all my passwords are rather hard to break (I use a script to generate random 16-digit alphanumeric strings), but I'm surrounded by enough Really Smart People with photographic memories that this is a valid security concern.

I view the Keychain built-into Mac OS X as being fine for holding relatively unimportant stuff, like my SourceForge login. However, I don't trust it for really important stuff, like root passwords for clients' deployed ecommerce boxes.

I toyed with rolling my own paranoid password manager, but fortunately I remembered Sanford Selznick's PasswordWallet. PasswordWallet doesn't show your passwords on-screen by default, and will even "type" them into another app for you, so the password doesn't even have to roundtrip the clipboard. In addition, there's a Palm version. You can access and add new passwords anywhere!

Oh, and if you intend to try out PasswordWallet under Panther Developer Preview, first remove the trademark symbol from its name prior to launching. It won't launch otherwise. Bug filed.

Wednesday, July 16, 2003
08:29 PM

Overview
Focus of this site
Contact Me
Topics
RSS Feed
Linkblog
Twitter

Most Popular
C4[1] Videos Available
PSIG 112: Thu Feb 7 2008
PSIG 113: Thu Mar 6 2008
PSIG 114: Thu Apr 3 2008
PSIG 111: Thu Jan 3 2008
apple's antiCAPSLOCK
PSIG 115: Thu May 1 2008
Programmers Don't Like to Code
Intel-based Mac Boot Incompatibility
iPhone vs. Treo
Google Cache Hacking
iPhone Indie App Development
Stop Stop Stop Hurting the Internet
Backing up del.icio.us
I almost ran over Steve Jobs

Recently Updated
Wed, Apr 30: PSIG 115: Thu May 1 2008
Wed, Apr 30: Programming Special Interest Group
Sat, Mar 29: C4[1] Videos Available
Thu, Mar 06: PSIG 113: Thu Mar 6 2008
Wed, Jan 02: PSIG 111: Thu Jan 3 2008

Weblogs I Read
Andy Finnell
Bill Bumgarner
Brent Simmons
Daniel Jalkut
Dave Dribin
Eric Albert
Eric Rescorla
Eric Sink
Greg Miller
Gus Mueller
Jeremy Zawodny
John Gruber
Mark Dalrymple
Michael Tsai
Peter Ammon
Raymond Chen
Ryan Wilcox
Scott Stevenson
Steven Frank
The Daily WTF
we hates software
Wil Shipley

Copyright © 1997-2008 Jonathan 'Wolf' Rentzsch. All rights reserved.
Questions? Comments? Contact Me.