undefined | Better HN

story

0 pointsfauigerzigerk6y ago0 comments

I do use full disk encryption, but when I'm logged in, any program that runs as me can access my files (subject to some partial restrictions that Apple introduced a while ago). And anyone gaining access to my unlocked computer can easily copy that password file.

You could say once malware is executed with my credentials it's game over anyway. But I disagree with that. Having a file full of passwords stolen is far worse than than anything else, including key loggers, because it's maximum damage in a minimum amount of time.

I want to make that as difficult as possible for any attacker.

0 comments

icebraining6y ago

> when I'm logged in, any program that runs as me can access my files

On Windows, the same is true of the encrypted data; any program that runs as you can decrypt it. Is it different on macOS? How does the system authenticate a specific program?

fauigerzigerkOP6y ago

On the Mac, Safari and Chrome store passwords in a key chain. To reveal any of those passwords you have to re-enter your macOS login password or whatever authentication method was used to log into the device (fingerprint, face ID, ...).

So it's not the program that is authenticated. The system simply makes sure that any program accessing that particularly sensitive data is really controlled by the logged in user.

This is entirely separate from protections for other files that may or may not be encrypted.

forgotpwd166y ago

>Chrome store passwords in a key chain

Really? I thought Chrome, same as Firefox, stored credentials in an SQL file, the reason behind it being profiles and its built-in sync service.

1 more reply

j / k navigate · click thread line to collapse