C-Command Software Forum

Password Leaking BUG

Guys, I’m a happy user of DropDMG. When I create a profile with encryption and set an password, the password stays there for future reference. Someone could open my DropDMG app and gather all passwords for my encrypted DMG files. That’s a horrible security flaw IMO.

Just go to Preferences/Set Passphrase/Show Passphrase.

The passphrase is securely stored in your keychain. I don’t think this is a security flaw because you can control (when DropDMG first prompts you, or via Keychain Access) whether the system asks you to unlock the keychain before making the passphrase available to DropDMG.

You also have the option to leave passphrase field blank. Then you will be prompted to enter the passphrase as needed, and it will not be stored at all.