An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 4 1 2 3 4
Cocktail and Mountain
#24179 11/17/12 05:18 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
I'm going back and forth with Kris of Cocktail.

He claims that mountain you can no longer user enter as your password. Yet it seems ok.

Cocktail also now ask for admin and pass for every launch.

Anyone else notice this is bit weird?

Re: Cocktail and Mountain
kevs #24180 11/17/12 05:46 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
I don't know about Mountain Lion's login requirements, but that system utilities require an admin password is perfectly normal, and has been like that for quite a while. To be allowed to do their work in the guts of the OS they need that admin access. If you think about it, you really wouldn't want anything else.


alternaut moderator
Re: Cocktail and Mountain
alternaut #24181 11/17/12 06:47 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: alternaut
I don't know about Mountain Lion's login requirements, but that system utilities require an admin password is perfectly normal, and has been like that for quite a while. To be allowed to do their work in the guts of the OS they need that admin access. If you think about it, you really wouldn't want anything else.

I prefer that system utilities work similarly to System Preferences, which only asks for an admin password when you ask it to do something that requires admin access; Yasu works that way, and I've never understood why other utilities don't.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Cocktail and Mountain
artie505 #24182 11/17/12 06:54 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
ENTER is still valid for a user admin pass no?

Re: Cocktail and Mountain
kevs #24183 11/17/12 08:58 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Unless you mean actually using the word Enter, technically pressing the Enter key is not a password. Hitting the enter key submits a null or blank password. However, in today's environment it is considered by many to be a very risky practice used by badly informed or outright foolhardy users. However, null passwords can still be used but I suspect Apple has deprecated its use because of the dramatically increased security risk, and the increasingly dangerous, even hostile, internet environment.

As I recall, Cocktail's password behavior is not new and like Onyx has required initial passwords for some time now. The only similar utility I have that does not start with asking for the admin password is TinkerTool System which only prompts for the admin password when a process is initiated that requires one. Personally I prefer the initial password request used in Cocktail and Onyx as the password only has to be entered once whereas in TinkerTool System it has to be entered or re-entered for each procedure that is initiated.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Cocktail and Mountain
joemikeb #24184 11/17/12 10:29 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Clarifying Yasu, it presents a menu of check-boxes and asks for your password only once, and only in the event that you check at least one box to perform a task that requires one.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Cocktail and Mountain
artie505 #24185 11/18/12 02:04 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Joe, I got this tip years ago, to use the enter keystroke as the password, from one of those OS tip books. I've loved it ever since. I'm on a desktop only I use, here at the house, what's the problem?

Now before this last version of Cocktail, I would click the cocktail icon in the dock and cocktail would launch without asking for anything. So isn't this a new thing for cocktail? I just upgraded.

Re: Cocktail and Mountain
kevs #24186 11/18/12 03:04 AM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
The problem is the password protects your computer from malicious software and/or web sites that would like to install some type of malware on your computer. If your computer is at your house AND you NEVER connect it to the internet and NEVER install any software that you do not receive on a CD from a known reliable source then you probably do not need a password. So, unless you are using an iPhone, iPad, or similar device, your presence on these forums indicates you are regularly connecting to the internet and thus vulnerable to intrusion.

However, once you have a connection to the world outside not having a password dramatically increases your risk from malware. Even if you have antivirus software and your virus signatures are up to date there is no reason to be sanguine. Much of todays malware is…
  1. undetectable by antivirus programs
  2. indistinguishable from "good" software you are downloading
  3. the malware disables your a/v protection before it can be reported
  4. able to trick you into installing it without your realizing what you are doing
  5. all of the above
I am not a conspiracy theorist, I refuse to live in fear of "the bad guys" on the internet, and my security precautions are no where near as stringent as some on these forums, but I do try to be prudent. That includes protecting my computers, iDevices, and networks with reasonably strong passwords. I also try to use reasonably "strong" and unique passwords on all sites I visit that require them. I store my passwords in password protected database files on my iMac, iPhone, and iPad.

I am not alone in touting the need for better computer security. There has been a plethora of recent news articles bemoaning the relatively lax security precautions in government, business, and personal computing systems. Congress has announced they will be conducting hearings on the subject but by the time they figure out what they want to do, it will be ancient history to the bad guys. The DoD has declared internet security one of the greatest threats to our nation's security and they are not talking just about their own computers but how our personal machines can be used by the bad guys for their nefarious purposes.

Because BSD Unix, OS X, and Apple computers are relatively secure in comparison to Windows boxes many Apple users have become sanguine and feel invulnerable, but that can change overnight. Doing what we can to make our Macs a harder target — like using password protection — will hopefully make us a less tempting target for future exploits.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Cocktail and Mountain
joemikeb #24190 11/18/12 06:37 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Joe, thanks.

Do you log in with a password on your home desktop every time you use the computer? I don't. I just have it there on at the ready all day long.

So I'm at home, the computer is on all day long. No antivirus.


Issue one is theft:
Trade offs.

I understand wanting a password for a lost laptop and even a the possible home burglar.

Issue 2 is what you are discussing. The internet:


Software I download is software I want, so I just click the enter.
Mostly everything I download is from good sources, that's why I'm installing it. And then even if I had a password, I would still use the password and then install it.

So what good is the password in this respect?

In short, did not fully understand your post about the internet issue.




Re: Cocktail and Mountain
kevs #24192 11/18/12 07:51 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
the problem recently has been that you cannot have a blank admin password to use SUDO. Utilities like cocktail may use sudo. Apps that are actually applescripts or that use apple events may have the same restrictions.

When I'm working on a customer's computer and the admin password is blank, I frequently have to set it to something to run many of my (homemade) tools.

I typically leave it set unless told otherwise, as it provides more security. I'd bet the whole idea was that apple wanted to prevent trojans or apps that manage to find a dropper/driveby download entrance can't just run automatically as admin.




I work for the Department of Redundancy Department
Re: Cocktail and Mountain
kevs #24194 11/18/12 09:47 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Originally Posted By: kevs
Software I download is software I want, so I just click the enter.
Mostly everything I download is from good sources, that's why I'm installing it. And then even if I had a password, I would still use the password and then install it.

So what good is the password in this respect?


The idea that something from a "good" source is safe doesn't necessarily hold up.

One of the most popular tricks that malware writers use is that they will hack a large, well-known site and install the malware droppers on it. Web security is hard, and even huge multimillion-dollar companies don't necessarily hite programmers who understand security.

In the past several years, malware has been found on sites like the official Delta Airlines site, Newsweek's site, Time magazine's site, Adidas, and more, and used to spread malware. Also, a common technique that Eastern European organized crime will use is to set up fake companies and buy banner ads that redirect secretly to malware sites, often without even being clicked on.

So only sticking to known "good" sites actually is no guarantee of protection.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Cocktail and Mountain
tacit #24195 11/18/12 11:20 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
V. hmmm , he mentioned something about sudo, Fine, but why does cocktail had to ask for a password every launch, isn't that new. Don't remember that before.

Tacit, But even if I make a simple password, I'm still going to download the software.
---

as far as trust. I don't what to say. Cocktail for example, I don't get on a CD. People suggest software all the time for all types of things on this and other forums. So apart from the famous ones, that's what were talking about.

Last edited by kevs; 11/18/12 11:21 PM.
Re: Cocktail and Mountain
kevs #24205 11/20/12 10:15 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
it asks at every launch so it doesn't have to store your admin password in a reversible form somewhere. it's actually a really good security feature.


I work for the Department of Redundancy Department
Re: Cocktail and Mountain
kevs #24206 11/20/12 11:08 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: kevs
as far as trust. I don't what to say. Cocktail for example, I don't get on a CD. People suggest software all the time for all types of things on this and other forums. So apart from the famous ones, that's what were talking about.
Actually software on CDs is not immune from being infected with viruses. Over the years several very reputable companies have unwittingly shipped CDs/DVDs that were infected. There have also been very recent instances of new hard drives coming from the factory in China with malware pre-installed. No few of those drives were installed in new computers and shipped to the stores for sale to the public.

A number of software applications have been recommended on these forums, but that recommendation is generally based on someone's experience with their copy of the app which in no way should be understood as guaranteeing the copy you get will not be infected. Lately I have been choosing to limit my software purchases to the App Store, if at all possible, on the unproven theory that Apple has a vested interest in being particularly rigorous in keeping malware out of their distribution channels.

The point is that it is a dangerous world out there and it is prudent to take at least minimal precautions such as using strong passwords. Not having passwords is like leaving your car with a back seat full of purchases unlocked with the keys in the ignition while you go Christmas shopping for a few hours at Walmart. Someone could steal your purchases or your car even if it were locked and you had the keys in your pocket, but without those minimal precautions you are low hanging fruit ripe for the picking.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Cocktail and Mountain
joemikeb #24215 11/21/12 04:23 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Joe, you got me spooked, but I'll hold onto this info!


Re: Cocktail and Mountain
kevs #24257 11/24/12 08:16 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Virtual1 mentioned the non-blank password requirement for sudo commands. This may sound far from your bed, but it isn't really. Among other things listed in this thread, leaving open your account password affects your ability to fix Home folder permissions. Many users sooner or later run into problems that require them to fix Home folder permissions (also known as ACLs or Access Control Lists), or live with the limitations the issue imposes, like the inability to change the name of files and folders, or to move or delete them. ACLs are not affected when you repair (System) permissions with Disk Utility etc. See for an example the Apple KB article Mac OS X v10.5: Renaming or... folder (note that this issue is not specific to Mac OS X 10.5).


alternaut moderator
Re: Cocktail and Mountain
kevs #24260 11/25/12 12:00 AM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: kevs
Joe, you got me spooked, but I'll hold onto this info!

Keys if you really want to get spooked read this New York Times article. Read the entire article and don't stop at the headline.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Cocktail and Mountain
joemikeb #24261 11/25/12 01:11 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Thanks A and Joe, I read that article when it came out, as I get the NY times, but your link, makes it hit home a lot more.

So my personal passwords are on an excel file (there are about 200), and then I have an excel file with software passwords too.

They are on my main hardrive, just in a normal folder. I'll make a encrypted one, but it's a real sacrifice as I've gotten so used to the convenience of a quick keystroke to bring it up. And it seems I do have to bring it up quite often, especially for log ins to forums.

I should also probably make a password for the computer as noted, but it's a little scary in that: what if you forget your password? That one has got to be memorized no?

Finally, for my desktop, I do leave it on all day. I never log out between uses. Your opinon on that A and Joe?

I pop down in my chair maybe 6-8 time day and just work. No log in.

Re: Cocktail and Mountain
kevs #24267 11/25/12 08:45 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
My computer runs 24x7 and I do not log out when I am away, but I do shut Safari down when I am not using it. On an often repeated recommendation from my bank (USAA) when I leave ANY financial site after I log off of the site I quit Safari, or whatever browser I am using even if the next thing I am going to do requires me to relaunch Safari.

Not to quarrel with your use of an Excel file to store passwords but the App Store catalogs nearly 130 dedicated apps for secure storage of password and other data. Thirty-six of them are customer rated at or above 4 stars. Many of them will even generate secure passwords for you.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Cocktail and Mountain
joemikeb #24268 11/25/12 11:00 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Joe, that was my first question. So you recommend quitting Safari after you walk away from the computer? This is how most people get into your machine, the internet? Hard habit to make, but I can do it.

That article Joe does not speak so highly of password software.

But you are ok with leaving the machine on all day, as long as the internet is closed. I guess the only worry is if your computer got stolen while you were shopping at the market, they would have instant entry.

What about the camera on the computer! Never thought of that. Not a bad idea to put a black sticker over it?

I just made a password with 100% strength I could memorize. I guess I'll use for my apple id with my credit card tied to it. And maybe a few other critical things.

The article had there other interesting points:
Ignore security questions? I would never have thought of ignorning them.
Using different browswers - bit tedious.
Don't register online with real email address, bit overkill?


Re: Cocktail and Mountain
kevs #24284 11/26/12 03:32 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
PS, I think maybe mountain Lion is shipped with Firewall turned off. I did not know. I can't get into Photoshop now, it says my password is on 2 other computers. I may have been hacked! Whey would they ship with Firewall off? crazy.

Of course I could be wrong...

Re: Cocktail and Mountain
kevs #24307 11/27/12 12:11 AM
Joined: Aug 2009
Likes: 8
Online

Joined: Aug 2009
Likes: 8
It is shipped with the firewall turned off because that will result in Apple receiving fewer complaints and questions from people. The alternative is to deal with all the "I can't access…", "I can't receive…", I can't download…" queries. Is this safer for the end user? Irrelevant question since we can't control Apple. Take it or leave it.

I strongly second the above comments about getting software to store your passwords. These applications can be accessed with a user-determined keystroke, use fairly strong encryption to store your passwords and many allow secure access from iDevices (convenient and also serves as a backup to the original on your computer). Many (e.g., Data Guardian) also can handle importing from Excel, which will save you enormous amounts of time.


On a Mac since 1984.
Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
Re: Cocktail and Mountain
Ira L #24308 11/27/12 02:42 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Wow, thanks Ira, man, so my computers were both off firewall for a couple of weeks without me knowing that, and my laptop and all my passwords and software serial numbers on the desktop for quick access which I was getting settled — with the internet on a lot. And now Adobe says my PS CS5 is on 2 computers and I cannnot use the software. I hope it's all a coincidence.
I cannot fathom how a password software would help me.

ONe thing about excel is the true user names and passwords are not listed. The user often something I memorized, and I just put "standard", and the pass often lead with some digits I've memorized with a dash and a couple of new characters. I don't think you can beat that. With those software you are supposed to put the actual uncoded user and password. what is the upside to that?

Re: Cocktail and Mountain
kevs #24310 11/27/12 04:51 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
You're asking us to second your rationale for your lack of security, and that's just not about to happen (and I say that despite the fact that my own security does not live up to the standards that have been set out in this thread).

Bottom line is you've read the article and the responses to your posts, and if you're happy with what you've got, live with it; maybe you'll never pay a price, but that's your gamble...your own odds to set.

PS: The first thing on my to-do list when I either re-install or upgrade an OS or buy a new deuced Mac(hina), BEFORE I ever connect to the Internet, is check to make sure my firewall is turned on, because there are some things you NEVER take for granted.

Edit: And, by the way, if you're not running Little Snitch, you should be!

Last edited by artie505; 11/27/12 12:35 PM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Cocktail and Mountain
kevs #24313 11/27/12 02:41 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
While we're on the topic, here are some recent & related ruminations:

- What you don’t know about passwords might hurt you*
- Mac Gems: Little Snitch snitches on misbehaving apps

I previously linked to articles discussing various aspects of online security. They remain relevant, and some of them can be found HERE.


*) You may of course choose to ignore these recommendations, perhaps because of some of the comments, but that doesn't exactly maintain or improve your security either.


alternaut moderator
Page 1 of 4 1 2 3 4

Moderated by  alternaut, dianne, dkmarsh 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.037s Queries: 65 (0.025s) Memory: 0.7134 MB (Peak: 0.8978 MB) Data Comp: Zlib Server Time: 2024-03-28 20:30:50 UTC
Valid HTML 5 and Valid CSS