Keychain Unlocker 2.0.2 is out; comments from author re security

Keychain Unlocker 2.0.2 is out. It is the latest update to this utility that uses AppleScript to provide a simple way to unlock your Mac OS 9 keychains.

Regarding our recent coverage of security of your password when using utilities such as this, Rich Love (the author of Keychain Unlocker) offers these comments:

There has been some discussion about security issues with Keychain Unlocker since it is possible for a hacker to obtain the keychain password from the AppleScript applet. Although it is true that a hacker sitting at your Mac could obtain the password from the applet, it is really irrelevant. Since anyone sitting at your Mac can run the applet to unlock the keychain, why would it matter if you could hack into the applet to see the password? This applet should only be used in a secure environment such as home or small office where everyone is trusted. I have stated this in my ReadMe file.

One precaution that can be taken in an office environment (or Internet-connected Mac) is to unshare the Startup Items folder. That way, nobody on the network could hack into your applet.

There is another program called Keychain AutoUnlock that claims to be secure because you can't hack into it to get the password. However, it really is not secure either because when you run it, the keychain is unlocked and anyone using your Mac has complete access to your keychain. This program also does not solve the problem of mounting servers on startup.

I guess my point is that the whole idea of automatically unlocking the keychain is by nature not secure and that is the way many users want it (as long as it is secure from prying eyes over a network).