
Logs in High Sierra Show Plaintext Password for APFS Encrypted External Volumes - strmpnk
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp
======
makecheck
The new log system does have the concept of “private” data (that can only be
viewed after explicitly enabling it) but I don’t know how they determine what
qualifies.

Apparently a 10.13.x update addressed this. Still, if a password is in a
command line, that is basically impossible to predict if you don’t know the
tool in advance, and would still leak elsewhere (e.g. another user on the
system examining “ps” output).

It is better to use something like an environment variable to pass information
to the subprocess without revealing it in the command.

