Print out all your saved passwords – OSX

Here’s a reason why you shouldn’t let anyone use your computer.

In your terminal, type:

security dump-keychain -d ~/Library/Keychains/login.keychain

 

If your passwords starts printing out right away, that means anyone using your computer can see all your passwords.
You need to do this:

1. Open Up Keychain Access (Using SpotLight, Alfred, or Quicksilver)

2. Click on the lock Button:

 

If your computer asks you to input your computer password, then now you know how IMPORTANT your computer password is. Never share it.

 

If you’ve seen enough passwords, type Control+C in your terminal to stop it.

 

Happy Coding!

Song

 

Discuss this with amazing hackers on Hacker News

 

Tags: ,
  • Artful Dodger

    Wow. More people need to know about this. A very big security flaw indeed.

    • John Doe

      It’s not. The keychain is unlocked by your login password, someone needs to break that first to get access.

      • Lauri Ranta

        A malicious application or script can run security and see your keychain items without ever knowing the login password.

        If access for assistive devices has been enabled, you can use UI scripting to click the allow buttons:

        security find-generic-password -l AppleID -g & sleep 1; osascript -e 'tell app "System Events" to click button 2 of group 1 of window 1 of process "SecurityAgent"'

        Even if it isn’t enabled, you could use something like https://github.com/smerrill/os-x-click.

  • Arthurmild

    Thank you. After protecting myself with your tip, I shall have fun thinking of ways to show my i-friends how vulnerable they are are.

    • Billy Cravens

      “i-friends”? Pretty sure this is only OSX, not iOS. :-)

      • Sebastian

        What about the iMac friends?

  • http://www.jasontokoph.com/ Jason Tokoph

    You may want to setup autolocking:

    1. Launch “Keychain Access”.
    2. Right click on “login” keychain.
    3. Click “Change Settings for Keychain ‘login’”.
    4. Check the “Lock after:” box.
    5. Change the minutes of activity to whatever you want.

    You have the option of auto-locking after zero minutes of inactivity.

    • John Doe

      And then you get to type your master password everytime you need to use a saved password. Not much point in saving passwords then?

      • http://twitter.com/antonywu Antony Wu

        But then you only need to remember that master password. What is so hard about that?

        • http://online24.nl Michiel Prins

          True. But however, when using apps that continuously check a service using a saved password you have to re-enter the password everytime the app performs the check. Note that this does not always apply to any app that checks for new activity, as most apps keep an open connection after successfully signing in. Depends on how the app is designed.

          • Anonymous

            You can change some settings on a per-password basis using ACLs in Keychan Access, but you can also move keychain items to separate keychains, and encrypt those with separate passwords. They won’t be automatically unlocked at login, and you can set your separate keychain to automatically lock every five minutes.

  • Jesse

    haha. Awesome.

  • Dude

    I get a bunch of jibberish printing out, definitely no passwords.

    • http://www.ryankearney.com/ Ryan Kearney

      You need to learn to understand the “gibberish” then, because the passwords are indeed being output to the console.

      Some applications save data that isn’t passwords in the keychains, such as authentication tokens or private keys.

      • Dude

        My saved passwords do not appear in the output.

      • http://www.facebook.com/hakino.takiho Hakino Takiho

        Anyway, how would you “translate” this gibberish?

        • Lauri Ranta

          The passwords are usually on the fourth line from the bottom. You can also see individual passwords with something like this:

          security find-generic-password -l AppleID -w

    • http://www.facebook.com/hakino.takiho Hakino Takiho

      Same here. I even tried searching for my passwords in the output just to check if there were indeed passwords. Anyway, how would you “translate” this gibberish?

  • Guest

    So, how does this bode when considering how easy it is to get into a Mac to which you don’t have the password or a user account (i.e. stolen or otherwise lost control of)? Forgot your Mac password?. I just wonder if this will output the passwords from all the users on that Mac, or just the user you’re logged in as.

    • Sean

      Just the user you’re logged in as. Password data is encrypted in the keychain, so it can only be retrieved if you have the keychain’s master password.

  • http://openswitch.org Ben

    http://osxdaily.com/2010/08/10/forgot-mac-password-how-to-reset-mac-password/

    So how does the above article play into this security flaw? Does the above script only print the passwords of the account you’re currently logged in with?

  • Pingback: OS X Keychain Passwords Exposed - No Thought Control

  • Pingback: .:[ d4 n3wS ]:. » OSX : Récupérer les mots de passe d’un utilisateur

  • http://www.facebook.com/peter.nikolow Peter Nikolow

    This is not entirely correct. You give him access to your account and he get all pros and cons that you use.

    To be entirely correct – you must made guest account and login him there. Then he will have access to new empty login keychain (since login keychain is per-user).

  • Wow

    Thank you for this.

    Also:

    > Open Up Keychain Access (Using SpotLight, Alfred, or Quicksilver)

    s/SpotLight/Spotlight

    • jlgaddis

      Since we’re correcting each other over stupid crap:

      “unterminated substitute in regular expression”

  • http://www.facebook.com/hakino.takiho Hakino Takiho

    It’s printing gibberish instead of my passwords. I suspect you need a little bit of translating to do.

    Anohter thing: even if I locked the keychain, the same command still prints some of the keys in the keychain, I’m not sure though since they’re still gibberish.

    How do I “translate” these stuff to make sure they’re not passwords?

  • Alpha

    I think this post is rather misleading.

    First of all, not everyone can see your passwords. Unless you did something stupid your passwords are confined to the Login keychain, that keychain is unique to your account. Someone else logging on to the same computer with a different account does not have access to another account’s Login keychain.

    Second of all, the fact that someone can walk up to your computer, issue that command and get your passwords is your own fault. Don’t give other people access to your account and don’t leave you computer unlocked for someone else to use.

  • Pingback: OTR Links 09/15/2012 | doug – off the record

  • Pingback: Apple Keychain-Passwörter auf der Kommandozeile ausgeben « think eMeidi

  • http://www.facebook.com/profile.php?id=1043047741 Kenn Villegas

    Also in addition to setting the Keychain to lock after x minutes of inactivity. Under edit|Change Password for keychain login. So If I sleep OR don’t use it for fifteen minutes it locks. Also I can make an extra KC for secure data. (all of this exceeds my needs, but is solid best practices)

  • Pingback: Print out all your saved passwords – OSX « Don McCaughey

  • question!

    Quick question… how do you make the squiggly symbol, as it’s not on my keyboard (the symbol before the d)?

    • http://songz.me/ Song Zheng

      ~ <- this character? It's right next to 1, under esc.