password safes for mac

Adam Shostack adam at
Wed Jul 1 14:48:22 EDT 2009

On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote:
| Adam Shostack <adam at> writes:
| > On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote:
| > | On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote:
| > | > This would be great if didn't store your unencrypted
| > | > login and password in memory for your entire session (including screen
| > | > lock, suspend to ram and hibernate).
| > | > 
| > | > I keep hearing that Apple will close my bug about this and they keep
| > | > delaying. I guess they use the credentials in memory for some things
| > | > where they don't want to bother the user (!) but they still want to be
| > | > able to elevate privileges.
| > | 
| > | Suppose a user's Kerberos credentials are about to expire.  What to do?
| >
| > What fraction of mac users are using Kerberos?  
| I think he's pointing out a more general problem.

Sure.  The problem with general problems is you can't solve them or
make tradeoffs around them.  You have to delve into each and say "what
can we do about this?" and "how much engineering weight should we give
this?"  In the case of Kerberos, I would venture to guess that it's
pretty low.  In which case, I think Apple might go back to Jake's
security issue with LoginWindow, and ask if the Kerberos issue is
reason enough to keep the behavior as is.

Obviously, there's a tradeoff for Apple here, and Apple has people who
have dug into the problem.  Those folks may well have good reasons to
keep things as they are.  From my seat as an Apple customer, I don't
understand those reasons, and the example given seems unlikely to be
important.  So I asked for more detail.

(Not speaking for my employer)

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list