It seems that Mac OS X (10.3.4 tested) doesn’t bother clearing memory
\ncontaining sensitive data, or using mlock() to avoid swapping.
\nA quick grep of the swapfiles will show up various morsels<\/p>\n
rez:~> sudo strings -8 \/var\/vm\/swapfile0 |grep -A 4 -i longname Grepping for context around “password” also shows up results, and grepping Obviously this is only of interest if an attacker has root (or physical) Reported to Apple on 21 June, I haven’t had any response. It’d be nice if found by Matt<\/p>\n","protected":false},"excerpt":{"rendered":" Mac OS X stores login\/Keychain\/FileVault passwords on disk<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-191","post","type-post","status-publish","format-standard","hentry","category-apple"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-35","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=191"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/191\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nlongname
\npassword
\n
\n\/bin\/zsh
\nusername
\n—
\n… various other occurrences follow<\/p>\n
\nfor portions of a Keychain password (differing from the login password)
\nwill also get results. It appears that loginwindow is one of the apps involved,
\nI haven’t investigated what else is involved. The amount of memory and usage
\npatterns of the machine will affect what gets swapped, though loginwindow seems
\nlikely to get swapped early since it is seldom used after login.<\/p>\n
\naccess to a machine, however it does make FileVault or Keychain encryption
\nfairly useless. It appears that the swapfiles are removed on shutdown or
\nstartup, though not wiped – pulling the power from a sleeping machine, and\/or
\nbooting from CD, would quite easily retrieve the password(s).<\/p>\n
\nthey at least said “we’re taking a look if it’s an issue”.<\/p>\n