my root password? oh sure, here it is.
So, I just bought a copy of Screenflow, an apparently reputable piece of screencasting software for the mac. They sent me a license code. Now it’s time to enter it. Here’s the window:
Hmm… says here all I need to do is… enter my admin password, and then the license code.
Wait… what?
Why in heaven’s name would Screenflow need to know my admin password here?
My guess is that it’s because it wants to put something in the keychain for me. That’s not a very comforting thought; it also means that it could delete things from my keychain, copy the whole thing, etc. etc.
This is a totally unacceptable piece of UI. I think it’s probably both Apple’s and Telestream’s fault. Really, though, I just paid $100 and now I have to decide whether to try to get my money back, or just take the chance that Telestream isn’t evil.
The Larger Question
The more I think about this, though, the deeper it gets. Is there any realistic way to partition passwords into high-security and low-security? If I have a password manager, then clearly the password for my account there is pretty much my highest-security item; having that password allows someone access to all my bank accounts, etc. Compromising that would be a disaster.
But wait! If you have root on any machine that I use to access that password manager, then you can presumably install a keystroke logger that can observe me typing the password for that password manager (unless I use a hardware-based authentication mechanism), so all of those passwords are pretty much vital as well. I’m thinking specifically of the administrator password on my laptop.
Unfortunately, consumer OSes are pretty cavalier in their handling of administrator passwords. I obviously have no choice but to trust the OS itself in handling that password, but I really don’t want to trust any other application code in that way. However, there’s no reliable way for me to determine, given a window that asks for my password, whether it’s “from the OS” or not. Solving this would involve some fairly drastic steps. The one that comes to mind is having a special light—say, on the side of the keyboard—that indicates that the OS is asking me to enter my password. This would presumably be accompanied by some kind of full-screen takeover. I’m guessing that most OS designers would not find this appealing.
I’d buy it, though.
Does this make me a tinfoil-hat guy?
Post Scriptum
In the end, I did get a refund from Telestream; it was prompt, and they convinced me that they have good business practices, even if their security model stinks.