If you’re like me, you probably use the same password for many different accounts. You probably realize that it is not a great security model, because once an attacker gets the password for one of your accounts he has access to all of your accounts. But who can blame us? Just about every useful application on the internet requires that you have an account and a password. At work, I must have over thirty accounts on that many different servers. I’m sure it’s possible to memorize a unique randomized password for each account, but it sure doesn’t seem like it’s worth the time and effort. That is, before Tuesday it didn’t seem worth the effort.
On Tuesday I experienced just how quickly someone can gain access to nearly all of your passwords, just by discovering one of them. It all started when a hacker managed to compromise a client’s server which we share administrative responsibilities. Having root access, the hacker replaced the SSH daemon (a remote access program) with a version that would log passwords. The moment I logged into this compromised server, the hacker not only knew my username and password, but what machine I was logging in from. Since I used the same password for this server and my desktop machine, in less than a few minutes the hacker was in my desktop (an iMac G5 running Mac OS X) and beginning the process of compiling the hacked SSH daemon.
I was able to cut off the hacker’s access before he could get his SSH daemon installed. I then had to go and change my password on over thirty servers. Recognizing that since the hacker had read access to my home directory, he also had access to my private SSH key which I use to log into some servers in which I don’t have my own account. My private SSH key was also encrypted using the same password as everything else, so I had to go and remove my key from about 5 or so servers that had it installed.
Now, to be clear, I didn’t use the same password for everything. I used a small handful of passwords for everything. One password for everything at work, one password for personal internet accounts that don’t need super security, one password for any account that can make purchases with my credit card (I keep these accounts to a minimum), and one unique password for my online banking account. I figured that this more secure than using the same password for all of my accounts. I was wrong; I didn’t take into account my use of the Mac OS X Keychain.
If you’re a Mac user, you are already familiar with Keychain though you may not even realize it.
Keychain is Apple Computer’s password management system in Mac OS X and Mac OS 9. A Keychain can contain various types of data: passwords (Internet, application & AppleShare), security certificates, keys and secure notes. The default keychain file is the login keychain, decrypted on login by the user’s login password (this can be changed). Keychain files are stored in
~/Library/Keychains/
Naturally, I never changed the password for my login keychain, so I have to assume that the non-work passwords I was keeping in there are now compromised. I think it’s unlikely that this hacker was smart enough to grab my keychain, but it’s better safe than sorry.
So learn from my mistakes. Use different passwords for different accounts. If you store them in your keychain, make sure you encrypt your keychain with a password different than your login password. Use SSH keys to avoid getting your password logged by a compromised SSH daemon and use a unique password to encrypt your private SSH key.