1. When it comes to security, from the point of view of an OS vendor, if you have gained unauthorized access to an interactive shell on a target machine it's already "game over, man". You cannot protect against physical access, and you can pretty much assume that there are a plethora of unknown privilege escalation bugs so that any account is effectively a root account. Every company has limited security resources, and at some point there are trade-offs between usability and security. This is why efforts are typically focused on keeping the baddies out.
Once the bad guy gets in, you can only mitigate potential harm. This is the goal of things like File Vault (which will still protect your stollen laptop, assuming you put on a screensaver password). This is also why merely being able to change a password is not nearly as bad as...
2. Being able to recover the plain text of a user's password. I'm not going to discuss how or why, but this was possible on earlier versions of OS X and fixed only in Lion. In this regard, "cracking" passwords is much harder on Lion than it was on Snow Leopard and earlier.
Of course, that sort of level-headed approach to this kind of topic seems to be rarer and rarer on HN these days...unfortunately...
You can also just boot your Mac in single-user mode (Command-S), then mount the main filesystem and type "passwd bob". Much easier and produces the same effect.
That risk level is not at all on par with this though. That won't help with filevault turned on, and it requires both a reboot and a physical presence at the machine. This can be done remotely with shell access, and discloses hashes from other accounts.
Enabling Open Firmware password protection disables the ability to boot a Mac into single use mode; it also disables booting from an external hard drive, flash drive, etc.: http://support.apple.com/kb/HT1352
Unless the Mac has a firmware password. You could just remove that by resetting the PRAM, unless you wanted to go undetected. In that case, you could remove the hard drive, mount it elsewhere, and change the password hash. Is FileVault plus a firmware password the only safe way to keep your Mac?
In the article, it mentions that the password are hashed using SHA-512. As has been mentioned before, using such a fast hashing scheme for passwords is a terrible idea. Any idea as to why they do it this way? (instead of using bcrypt)
Apple uses a key strengthening algorithm on their passwords, similar in concept to Bcrypt - I think they've increased the number of rounds past the 1000 mentioned since this paper came out: http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi....
If you've already compromised an account and have access as that user, it's likely that what you're going after isn't going to be their password...
... although, if you were to nab the password file and their keychain file (which contains passwords to other accounts that they access) which is generally encrypted with the same password (the system nags you if it's not the same), you could potentially do some real damage.
It's bad, but it's not that bad. SHA is widely supported, and not that bad, yet.
Also this is protecting desktop computers, where cracking hashes is not a common security problem. Getting the machine stolen in starbucks is probably much more common for this type of machine.
You're using an apple product. When did they ever claim to be secure? Your life is easier, more magical, full of glass, and very fast! Security is... a little bit of whipped cream on top. So enjoy your gestures on that magic touchpad, don't worry about being safe.
This feels a little bit like a naughtily published zero-day exploit.
I'm disappointed the post doesn't mention any appropriate disclosure to Apple prior to publication. Sure, it's not an out-right crack of the shaddow password algo but this vector could still be used in damaging ways.
Full disclosure is the only responsible sort of disclosure.
Apple, like Microsoft, has the tendency to sweep things under the rug when they feel it is unlikely the situation will become public. The only way to correct this behavior is release what you find to the public and as fast as possible.
Not really. There's no privilege escalation. You can only change user's password if you're already logged-in as user. That's bad, but it's only going to happen if you literally walk away from a terminal and someone else sits down.
I know this isn't the same, but I feel like mission control set to a hot corner bypasses the password screen from time to time. I never really notice it though
I suppose it's different if an unauthenticated user can perform a password change with the system powered on, but similar things can be done with Windows and a Linux live cd with some tools, and Linux passwords can be changed in "single user" mode.
[+] [-] jballanc|14 years ago|reply
1. When it comes to security, from the point of view of an OS vendor, if you have gained unauthorized access to an interactive shell on a target machine it's already "game over, man". You cannot protect against physical access, and you can pretty much assume that there are a plethora of unknown privilege escalation bugs so that any account is effectively a root account. Every company has limited security resources, and at some point there are trade-offs between usability and security. This is why efforts are typically focused on keeping the baddies out.
Once the bad guy gets in, you can only mitigate potential harm. This is the goal of things like File Vault (which will still protect your stollen laptop, assuming you put on a screensaver password). This is also why merely being able to change a password is not nearly as bad as...
2. Being able to recover the plain text of a user's password. I'm not going to discuss how or why, but this was possible on earlier versions of OS X and fixed only in Lion. In this regard, "cracking" passwords is much harder on Lion than it was on Snow Leopard and earlier.
Of course, that sort of level-headed approach to this kind of topic seems to be rarer and rarer on HN these days...unfortunately...
[+] [-] keypusher|14 years ago|reply
I'm no security expert, but that doesn't seem right to me.
[+] [-] kulpreet|14 years ago|reply
[+] [-] lawnchair_larry|14 years ago|reply
[+] [-] alwillis|14 years ago|reply
[+] [-] knux|14 years ago|reply
[+] [-] KonradKlause|14 years ago|reply
There is no need to crack the password. You (as non-root user) can just reset the currently logged in user's password by calling:
dscl localhost -passwd /Search/Users/bob
[+] [-] scott_s|14 years ago|reply
[+] [-] itg|14 years ago|reply
$ dscl localhost -passwd /Search/Users/bob
New Password: *
Permission denied. Please enter user's old password:
[+] [-] maximilian|14 years ago|reply
[+] [-] zdw|14 years ago|reply
If you've already compromised an account and have access as that user, it's likely that what you're going after isn't going to be their password...
... although, if you were to nab the password file and their keychain file (which contains passwords to other accounts that they access) which is generally encrypted with the same password (the system nags you if it's not the same), you could potentially do some real damage.
[+] [-] rmc|14 years ago|reply
Also this is protecting desktop computers, where cracking hashes is not a common security problem. Getting the machine stolen in starbucks is probably much more common for this type of machine.
[+] [-] lawnchair_larry|14 years ago|reply
[+] [-] RyanKearney|14 years ago|reply
[+] [-] num1|14 years ago|reply
(Sorry, I couldn't resist)
[+] [-] dotBen|14 years ago|reply
I'm disappointed the post doesn't mention any appropriate disclosure to Apple prior to publication. Sure, it's not an out-right crack of the shaddow password algo but this vector could still be used in damaging ways.
[+] [-] lawnchair_larry|14 years ago|reply
If it was a bug in a Google product, you can bet that he would have coordinated his disclosure with a fix.
[+] [-] burgerbrain|14 years ago|reply
Apple, like Microsoft, has the tendency to sweep things under the rug when they feel it is unlikely the situation will become public. The only way to correct this behavior is release what you find to the public and as fast as possible.
[+] [-] scott_s|14 years ago|reply
[+] [-] emehrkay|14 years ago|reply
[+] [-] drivebyacct2|14 years ago|reply
[+] [-] maximilian|14 years ago|reply