KeyChainDD is designed to be be very, very secure. But it is only as secure as the way the you use it. This page covers how to be as secure as possible.
The Threats and the Design of KeyChainDD
KeyChainDD is designed the way it is to for some very specific reasons:
  1. There’s an inherent misalignment between the need to have long complex passwords that can’t easily be guessed and are different for each site, and the need to have a password that can be remembered without being stored, because any kind of storage is vulnerable. KeyChainDD helps with this by providing the ability for you to use “partially memorized” passwords - see later for more detail.
  2. The threat from malware such as keyloggers is becoming more acute. While Macs have been somewhat immune to such threats, that’s changing. And yes, there are keyloggers for Macs. Both hardware and software ones. KeyChainDD helps to protect you by avoiding using the keyboard, but still not placing your trust in “auto fill-in” software that can be fooled, and is in of itself a vulnerability as it holds all your passwords.
  3. Single-point-of-failure. While software that automatically fills out web forms with your User Id and password are in theory secure, in practice they are a single point of failure, which if compromised, offers access to all your sensitive information. KeyChainDD fights this threat in two ways. Firstly, because KeyChainDD uses the OS X keychain infrastructure, in order to get access to all your information both KeyChainDD and OS X would have to be compromised. Even if KeyChainDD was compromised on its own, that only offers an attacker access to whatever single password was being communicated at that time, not all your passwords. Secondly, KeyChainDD makes it easy to use “partially memorized” passwords that mean that no single compromise can offer access to all your passwords.
What Can’t KeyChainDD do?
It’s important to understand that there are limitations on what KeyChainDD can protect you from. KeyChainDD can’t help if:
  1. Your Mac is compromised at root level. Even under theses circumstances, KeyChainDD’s design of distributing functionality between it and OS X offers some protection. But a root compromised machine is inherently unsafe. Root compromises are almost inevitably as a result of not updating your machine with the latest security updates, and running untrustworthy software.
  2. Your network connection is compromised external to your Mac. Attacks exist that allow an external site to spoof a real site. Your best protection here is to be very cautious of any site that looks “wrong”. Also be very cautious of situations where you enter your User Id/password, but then immediately after are requested to do so again - this may indicate that your have been directed to a spoof site, which after harvesting your information redirects you you to the real site.
  3. The software that you are entering the data into is compromised. To state the obvious, if your browser has been replaced by a compromised one, all bets are off.
How to Transfer Passwords from KeyChainDD Safely
There are three ways to transfer User Ids and passwords to other programs such as browsers - via the pasteboard, via drag-and-drop, and via the services menu.
  1. The pasteboard is the least secure method of transferring data that keyChainDD supports, and by default is disabled. the reason why the pasteboard is not secure is that the default OS X pasteboard is accessible to any program running at the time, with out any kind of privilege. KeyChainDD tries to mitigate this by leaving information on the pasteboard for as short a time as possible, but it is still a method of transfer that is inherently not very secure - a trivial system compromise renders anything on the pasteboard instantly visible.
  2. Drag-and-drop operations are significantly more secure. While drag-and-drop operations still utilize the OS X pasteboard mechanism, they create a new private pasteboard for each individual transfer, and destroy it immediately after that transfer. This pasteboard is invisible to other programs running at the time, and no method of monitoring such private pasteboards has been documented by Apple. It is however possible that such a method might exist as part of a private API, and that malware could exploit it.
  3. Using the services menu is even more secure; the mechanism that the services menu utilizes for transferring data is a direct transfer rather than via a OS X intermediary function such as the pasteboard. As such, it is highly resistant to compromise, and you should use it for very sensitive data.
“Partially Memorized” Passwords
Partially memorized passwords are good way to protect yourself from many potential system compromises. They work by combining long, secure passwords stored in KeyChainDD with a way of securely entering a short additional password that you remember. Here’s how they work:
  1. 1.Firstly, generate a long, random password either by using the Keychain Access application, or by one of the many on-line generators available on the web. A good on-line generator is here.
  2. 2.Store this in KeyChainDD as your password.
  3. 3.Select a short additional sequence of characters that you can easily remember. E.g,  “rc61”, and a sequence in which to insert them into the long stored password - e.g., “r” after the sixth character of the long password, “c” after the second character, “6” after the eighth character, etc.
  4. 4.When you need to enter your password, first drag and drop the long password, then insert the extra characters using the keyboard, but using the mouse to move between insertion points. Using the mouse, not the keyboard, to move insertion points is important as this prevents a keylogger from tracking what you doing.
This process means that in order for your full password to become known to any malware, it would have to compromise the private pasteboard that KeyChainDD uses, as well as log keystrokes, and be able to track mouse movements and relate those mouse movements to the web page that you are entering the data into. While this combination is not theoretically impossible, it involves compromising both KeyChainDD and OS X deeply, and is well beyond what any currently known malware is capable of.
Security Tips for KeyChainDD