SL Baur's Journal: Password security in OS/X

I wish to document a statement I made in good faith, but perhaps without sufficient information and provide clarification that I am not trolling.

My intention at this time, is to gain information as to whether Apple resellers are selling tainted product in Asia, or someone is tainting their product in Asia, or I am just an idiot and hit the wrong key somewhere. I've been a Unix user at home for over two decades and so I was shocked when I clicked a button on a login screen to see my password displayed.

I originally wrote:

Consider Mac OS X Leopard. If you do not choose a hint for your password, it will happily display your password in cleartext at the login screen when the hint button is clicked.

This comment was based on direct experience and apparently unique to me. So, after being pounded over the head with a clue hammer, I wrote the following:

This thread is already inside google, so I will post a summary and shut up.

I retract the general statement I made earlier in the thread and summarize the information here.

This a Mac Powerbook Pro purchased at Fries Electronics in San Jose in July 2007 with Mac OS X 10.4. It was booted for the first time outside the store.

It was upgraded to 10.5 with a shrink-wrapped box purchased in Manila, Philippines from an official Apple store this past July, before the hardware problems listed below manifested.

I had the show password hints option set.

I do not have a password hint on my account.

When I clicked show hint at the login screen, my password was displayed.

The machine is now out of service with a bad motherboard that is being replaced. It is possible there was some kind of hardware problem.

The system may have been booted into Safe Mode. I do not recall. One aspect of the dying mother board was that the airport was being misdetected at system boot.

This was an administrative account.

The software was purchased in the Philippines. It may or may not be the same image sold in the United States.

All music, videos, and most games sold in the Philippines are counterfeit, pirated or both. I have no idea how much of shrink wrapped software for sale is counterfeit.

I cannot reproduce the issue at the moment because my wife's Macbook is 7000 miles away and mine is in the shop for repairs.

An Apple person with a Macbook and a spare partition is welcome to call me at the office in order to borrow the Philippine 10.5 DVD long enough to install it on the empty partition and duplicate the same steps described above.

I like Macs. I'm not a fanboy, but it's Unix inside and my wife loves her Mac. I would love to be proved wrong, or demonstrate to someone that bad Apple system software is being sold in the Philippines.

I will shut up until I get my Powerbook back and have had a chance to redo the steps myself.

I posted the summary because as I was googling for other pages that might have been appropriate to my query, I found Slashdot. It is only fair to Apple that I attempt to rectify the situation. I have no wish to harm Apple. As an Open Source programmer from way back, when I see something go wrong in software, I want to fix it. In Linux, I can, but not in OS X. So, I'll provide as much information as I can so that if I have run across some wierd corner case, they can fix it.

Since that was posted, I remembered two other things I should have mentioned:

The account in question was created in 10.4 at the first system boot.

I used a program downloaded from apple.com called OnyX to clear caches in order to get the machine to boot out of Safe Mode when the bad airport driver was insmod'ed at boot. This might be an artifact of the 10.4 -> 10.5 upgrade.

I offer my apologies to Apple if this was something one off due to impending mother board failure or something like that. And if someone in Asia is selling tainted 10.5 CDs, maybe they would like to know about that.