Tuesday, August 26, 2014

The Lost Keychain

Your password will be…
Think you can remember that?
Keychain is one of those Apple products that sounds like a good idea, but I don’t know about anyone else, I’ve had a lot of problems with it. For those who don’t know, Keychain is Apple’s password management system. At its best, it would create passwords that were difficult to break and then manage them so that the password unlocking your device (should you have one) is the one big thing to keep secure. In reality, things are a little different.

My first problem is with the passwords themselves. They all follow the same pattern of four groups of letters or numbers, separated by dashes. If I were a hacker and could tell that the password was fifteen characters long, my first guess would be that the fourth, eighth, and twelfth characters were all dashes. And, of course, some sites don’t accept the passwords.

I recently ran into another problem. I signed up for Duolingo.[1] After talking with a friend who uses the site to improve her German, I decided to check it out to improve my French (my French is good, but it certainly could be better). I signed up and used, on the suggestion provided by Safari, a Keychain password. Because of the statement:
This password will be saved in your iCloud Keychain so it is available for Autofill on all your devices.
I assumed that should I log on to Duolingo with my iPad, my password would be there. And just in case I wasn’t already likely to use my iPad for this, the friendly folks computers at Duolingo quickly notified me that if I had iOS devices, there was an app for what I was doing.

Later that day, over dinner I decided to look at the Duolingo app.[2] I launched the app and it wanted my login. I entered my login name and waited for the password to fill in. Okay, that’s not how I expected it.

I am not blameless in this. I (unintentionally) set up a number of roadblocks to using Keychain on both my Mac and my iPad. It isn’t on automatically on your iPad. Further to make sure that you’re not highjacking the Keychain (even though it is tied to an Apple ID), you have to authorize your device after you turn on Keychain. There are a couple of ways to do this, but the “send a text to this number“ didn’t work because I had mis-entered my phone number on Keychain’s settings. Damn. I couldn’t revise my phone number on the iPad, because I hadn’t authorized it yet.

When I went to my Mac to change the number, it wanted me to prove it was really me by authorizing this with another device, although all it wanted my my iCloud password (which is not one of those set up by Keychain; more I will not say).

After all these things, I re-opened the Duolingo app, entered my username, and waited. The I quit the app, opened it again, and tried with my e-mail address, and I waited. Finally, I went to my Mac, reset my password, and logged in.

It turns out that the autofill stuff isn’t necessarily all that available. Application developers have to add Keychain access to their programs. If they didn’t do it, the app can’t your password. But then again, neither can some websites. I went to the Duolingo site on my iPad (using Safari) and entered my username. No dice. It’s a good thing I can remember that one.

Like the Heartbleed[3] crisis of a few months ago, this is a good reminder that there’s a need to manage passwords. Unfortunately, stuff that’s secure isn’t going to be simple, stuff that’s simple probably won’t be secure, and (alas) stuff probably can be neither simple nor all that secure. This would certainly make me think twice before letting Safari and my Mac turn my Facebook password into a series of three letter groups separated by dashes.


You can follow my blog on Twitter (@impofthediverse) or on Facebook.

  1. That’s another post, and one’s that coming soon.  ↩
  2. I asked nicely about the potential intrusion. “May I do this? My iPad might talk to me, and I might be talking French to it.”  ↩
  3. You know, the OpenSSL vulnerability.  ↩

No comments:

Post a Comment