[OSX-Users] http://www.southampton.ac.uk/isolutions/account/passwords/mac.html

Hugh Glaser hg at ecs.soton.ac.uk
Wed Sep 30 21:57:53 BST 2009 

Dear Serviceline,

This page is seriously misleading and promotes bad practice.

"However, when you change your University account password, you also need to
change the keychain password on your Mac, as this will retain the old
password until it is manually changed."
Need?
I don't think so.
Retain?
Yes, but changing the keychain password will not stop the keychain
"retaining" the old iSolutions password for the iSolutions and other sites.
There is an ambiguity in the final clause, which I am hoping is not
deliberate.

"Please ensure that the password matches your University password to ensure
you do not encounter problems connecting to services."
The changing of the keychain password cannot possibly have any effect on
connecting to the University services - that is the whole point of the
keychain.

And the article completely fails to say that all of the above achieves
nothing in terms of helping the user connect to iSolutions services, as he
or she will still need to enter any new password when prompted by a client
using keychain services.

As far as I can see (I may be a bit short-sighted), the whole page is about
persuading users who perhaps don't realise what is going on to change their
keychain passwords at the same frequency as the iSolutions ones by
pretending they will need to to avoid problems.
There is no need whatsoever to change the keychain password - simply trying
to log in to iSolutions or whatever would cause the keychain to store any
new password.
Of course, the user will end up with a different password for the keychain
to the one for iSolutions, but they probably already had that, and in
practice there is no reason why they should - in fact many security experts,
including yourselves will probably recommend that users use different
passwords for different access mechanisms. I certainly do not want my
keychain, which gives access to some more sensitive data than iSolutions to
be vulnerable to a breach in iSolutions security.

Apart from therefore encouraging bad practice, I feel this whole article is
duplicitous, although it is quite possible I do not really understand the
technology properly.
I think the page should be modified to be more honest.

Best
Hugh

More information about the Osx-users mailing list