Skip to content

Why passwords aren’t always the right answer.

I realised something yesterday. I don’t know my master password.

Users of Mac OS X can use FileVault, a data protection feature that replaces the user’s home folder with an encrypted disk image. Encrypted disk images are protected by AES-128 or AES-256 encryption, but to get at the private key you need to supply one of two pieces of information. The first is the user’s login password, and the second is a private key for a recovery certificate. That private key is stored in a dedicated keychain, which is itself protected by….the master password. More information on the mechanism is available both in Professional Cocoa Application Security and Enterprise Mac.

Anyway, so this password is very useful – any FileVault-enabled home folder can be opened by the holder of the master password. Even if the user has forgotten his login password, has left the company or is being awkward, you can get at the encrypted content. It’s also hardly ever used. In fact, I’ve never used my own master password since I set it – and as a consequence have forgotten it.

There are a few different ways for users to recall passwords – by recital, by muscle memory or by revision. So when you enter the password, you either remember what the characters in the password are, where your hands need to be to type it or you look at the piece of paper/keychain where you wrote it down. Discounting the revision option (the keychain is off the menu, because if you forget your login password you can’t decrypt your login keychain in order to view the recorded password), the only ways to reinforce a password in your memory are to use it. And you never use the FileVault master password.

I submit that as a rarely-used authentication step, the choice of a password to protect FileVault recovery is a particularly bad one. Of course you don’t want attackers able to use the recovery mechanism, but you do want that when you really need to recover your encrypted data, the OS doesn’t keep you out, too.

{ 3 } Comments

  1. Karsten | April 29, 2010 at 2:22 pm | Permalink

    hey graham,
    what do you think about using 1Password-like apps to store such passwords? Given 1Passwords Dropbox-syncing feature you could even access your master password if your computer locked you out.

    Karsten

  2. Dominic Hargreaves | April 29, 2010 at 2:23 pm | Permalink

    Master passwords like this (especially when they *cannot* be reset should they be forgotten) should be stored somewhere secure, on paper.

    Definition of secure will obviously vary per instance, be it under the bed, in a locked filing cabinet, in a bank vault…

  3. Graham | May 22, 2010 at 8:32 pm | Permalink

    Karsten: I use keychain, so have no problem with using 1password. You’re correct in that storing it on a different device is required – I have the luxury of owning multiple devices, other people may not do.

    Dom: that is an option even for those people who don’t have other devices :).