The OS X Keychain

Vincent Danen

March 25, 2008

Mac OS X comes with a very nice, integrated tool that manages passwords for you. This tool is called Keychain, and anyone who has used OS X, has used Keychain. This is a unique means of storing password information, be it website access or passwords to local programs. Keychain can manage it all (provided the application in question supports Keychain).

What Keychain does, by default, is recognize that when you provide proper credentials upon login, you are telling the OS that you are you. By doing this, you obtain access to your Keychain, which is a database (of sorts) that stores password information. Programs that support Keychain will fill in the blanks, and allow you to basically forget your passwords. Keychain will handle all of this for you. At every turn, you will be asked if you want to save a particular password to your Keychain. If you answer yes, each subsequent authorization request for that application (or website) will be handled, transparently, by Keychain.

This is a great thing, especially considering how many passwords the average user is likely to have. It can also be a scary thing; any user who obtains access to your computer can, theoretically, obtain access to every networked application, share, or website that you have stored a password for in your Keychain.

Considering the average user, Apple took steps and decided that if you authenticated during login, you have access rights to your Keychain, at all times. For many people, this is sufficient. If you use your computer at home, or you're the only person using it, or if you log out after every session, using Keychain in this manner would be fine. For the person at work, or a mobile person who's laptop could be stolen, this isn't such a good idea. In multi-user environments, unless you logout every time you are away from your computer, making this type of assumption can be dangerous. What you really want is for Keychain to ask you for your master password (which is your login password, by default), each time you access the Keychain. Or, failing that, at least have it "time out" on you, so that if you do leave your computer, someone can't wander on by and start making bids on Ebay with your account.

Managing Keychain

To manage your Keychain, you need to run the Keychain Access program, which is located in /Application/Utilities (or Applications -> Utilities). Here, you can tell the system to lock your Keychain; something you'll want to do if you wander away from your computer without having logged off first. You can lock your Keychain in one of two ways:

  • Manually: click on the Lock icon; this will immediately lock your Keychain and you will need to provide your master password to unlock it.
  • Automatically: in Keychain Access, select Edit -> Username Settings (ie. Edit -> "vdanen" Settings). Here you can tell the Keychain to lock immediately after five minutes of inactivity and/or when the system goes to sleep. The Keychain will be unlocked after you enter your master password (which the system will ask you for when you return).

You can also change the master password by clicking the "Change Passphrase" button in the Edit -> Username Settings dialogue. If you do change the master password, the Keychain will not be automatically unlocked when you log in. Following the principal of security in layers, this is a good thing. Ideally, you want Keychain locked when the system goes to sleep, and you want it locked after a certain period of idle time, just to make sure that no one can get into those things you deemed important enough to protect with a password. Likewise, if someone obtains your login password, you don't want to automatically give them access to all of your passwords as well. Using a different password here will provide you with an extra layer of protection; a welcome thing considering the data that Keychain manages.

You can also manage each item in your Keychain. Beneath the tool bar is a list of the different entries in your Keychain. To review the stored data, simply click on one of the items in the list. You will then be presented with the attributes of that item, which contain:

  • Name: the name of the entry
  • Kind: the kind of entry (Internet password, application password, etc.)
  • Account: the name of the account (ie. username)
  • Where: the location for this entry; a website URL, FTP site, application name, etc.
  • Comments: a text box you can use to store comments on that particular entry

Keychain

You can also select to show the passphrase associated with the entry by clicking the "Show passphrase" box. You will be prompted, the first time you elect to show the passphrase, for your Keychain password to unlock it.

There is also an Access Control tab that allows you to fine-tune what applications may access the data. You can select whether access will be automatically allowed or whether confirmation, through Keychain, must take place. You can also force a particular entry to always require the Keychain password, regardless of whether the Keychain is currently locked or unlocked. Finally, you can fine-tune what applications may access the data; a list is provided for you and you can add or remove applictions from the list.

You can have multiple Keychains if you really feel the need (perhaps a division between work and home, or access to certain passwords should be permitted with one master password while other applications should require another). This is done by selecting File -> New -> New Keychain from within Keychain Access. You can also copy and delete Keychains as they all live in ~/Library/Keychains. This can be useful if you want to copy your Keychain file from your desktop machine to your laptop.

While Keychain is designed for handling passwords transparently for you, it can also handle other data. You can store secure notes in your Keychain, and you can add new passwords manually. By being creative, you can use this to store credit card information, serial numbers, etc. These can be done by clicking the Note and Password icons in the toolbar respectively.