No good deed...

[HCHTech]

Went out on a residential call yesterday, some poor old grandmother in a retirement village. She had an older iMac (on El Capitan, if that matters), and reported the problem as "I can't get to my church's website". Easy enough, right?

Turns out the problem was the church let their security certificate expire. You can bypass the security warning by entering the Mac's admin password, which, you guessed it, she didn't know. After 15 minutes of her searching, I decided to just reset it. Problem solved, sent an email to the church alerting them to the problem and have a nice day. Another happy customer.

This morning we get a call - "Now my email doesn't work!" Back I go and today's problem is just that it is asking for the password and she doesn't know it. I restart the computer and I'm bombarded with several "This program wants to access keychain, put in the keychain login password" dialogs.

Apparently, when I reset the admin password, it scrambled or erased keychain. Neither the new admin password nor the user account password was accepted as the keychain password. So, the only option I could see was to go into keychain preferences and reset it (of course erasing any passwords it knew in the process). The reset noted that it was saving the old keychain, and starting fresh with a new one.

There weren't that many things to deal with, so I just ground through the various programs and re-populated her commonly used passwords.

Finally, the question for the mac folks here, in case this ever happens again: What should I have done to recover or access the existing keychain instead of just starting over?

 

[britechguy]

Not related to keychain, but this is an instance where, as far as I'm concerned, the safest password manager is a notebook in that lovely lady's desk drawer, or wherever she wishes to keep it.

The probability of her losing any electronically stored passwords, again, and that wreaking havoc, again is, in my experience, quite high. The probability that anyone, barring a very dishonest immediate family member or possibly caregiver, is going to ever steal and use that password notebook is very remote indeed.

Security has to work for the person that's using it, and for the elderly making it as low-tech as possible is key. They also tend to have much greater awareness of the need for physical security of things they don't want others to get their hands on as well, so if you tell them that this sort of thing must be kept "out of sight" of the majority of the world, but where they know where it is when they need it, that's generally more than enough.

Also, and this tends to be the most unpopular advice, I don't recommend that anyone use any sort of "password memory" built in to a browser at all. Most people, and particularly senior citizens, don't have 500 passwords they need to remember, and have very, very few that they need to use frequently. Far better that they commit those to memory, or consistently consult their notebook. And if they use what I call, The Portmanteau Method of Creating Passwords, and begin applying it consistently they can create passwords that are exceedingly easy for them to remember, but well-nigh impossible for any random stranger and most password-cracking software to crack in any reasonable period of time.

If people use "first phone number" as part of their portmanteau you can get between 7 and 10 digits right there, and when coupled with a special character and some other bit known only personally to them you've got an incredibly strong password already. Just make sure that something else related to "place of use" gets added into the mix. But I challenge anyone to find a method to easily crack something like 8456934962Moschgat!{insert site specific bit here} when used for however many venues if you haven't shared that old phone number, surname that means something to you, and '!' with others. And the very familiarity of those first three elements makes them roll trippingly off the typing fingers for the person doing the entry, even though many characters are involved.

 

[Markverhyden]

@HCHTech did you try a blank password field? Apple allowed blanks field for the use credentials up until 2-3 years ago or so. OS upgrades did not force the creation of a user password.

But if you don't have the user password for the account the keychain is locked up tight. It stays encrypted until the user password is entered. In the past I've been able to export keychains, if I knew the password. But just looked now and export is greyed out, not sure why.

 

[Computer Bloke]

Apparently, when I reset the admin password, it scrambled or erased keychain.

Yes, this happens by design. The idea is to prevent an unscrupulous person from gaining access to the keychain, and as you've found out it works very well indeed!

If you do find a way of gaining access to the keychain without the original password, please let me know - it means you've managed to crack AES-256, and I think I can make money out of that.