the MacOS X Keychain
Sunday, January 1, 2006 by darcoPosted in Apple, Articles, Security
The "Keychain Access" application that comes with MacOS X is one of the most useful tools that come with Macintosh computers, but it is also one of the most neglected. If you are a Mac user and don't know what this tool is or how to use it, read on.
The number of websites that I use on a regular basis that require a login ID and password is staggering, and I imagine that most of you reading this are in the same boat. Keeping track of all of these logins and passwords can be a nightmare, unless you just use the same password on just about all of them—which is sadly what most people end up doing.
Doing this is very bad. I cannot emphasize this enough. Once you enter in a password on a site, you have no idea how they handle it, how they store it, or who looked at it while it was in transit(assuming it wasn't sent over a secure connection). If your passwords are all the same, then one compromised account means all of your accounts are compromised. For many people, including myself, this would be catastrophic.
Web browsers like Firefox and Microsoft Internet Explorer will help you out in this department by remembering your login information to websites you visit, if you want them to. However, there are a few problems with this approach:
- The password is only trivially encrypted on the hard disk*. This means that if your computer is physically stolen or compromised, then nothing is stopping the perpetrator from harvesting all of your passwords. When someone steals a laptop, this is almost always what they are after–not the hardware.
- There is no easy way for the user to figure out what the password is for a particular site, because if there were such a mechanism it would be even more trivial for anyone to harvest all of the passwords on your machine.
- As a corollary to #2, there is no easy way to back up these passwords.
It is these problems that Apple's Keychain set out to solve, and it does so beautifully. From the MacOS X Security page:</p>
To make it easy to manage the daunting number of passwords and permissions intrinsic to network computing, Mac OS X includes a Keychain. The Keychain stores all your information to use encrypted disk images and to log onto file servers, FTP servers and Web servers. Mac OS X automatically adds your .Mac account information to your Keychain. When you log in to Mac OS X, the system opens your Keychain. You don't have to enter your user name and passwords to access this data. You can set Mac OS X to lock your Keychain when the system sleeps or is inactive for a time. The system will ask you for your password the next time you try to access secure data. Other users on the system cannot access your Keychain or its data.
Whenever you store a password on your Macintosh, wether it be for your iChat account, an encrypted disk image, or for a website, it gets stored in your keychain. By default, your keychain password is synchronized to your login password and unlocked whenever you log in. Because of these defaults, you are already making some use of the Keychain even if you have no idea what it is. The keychain data is always stored on the hard disk using strong AES 3DES encryption, so you don't have to worry about someone extracting the passwords off your hard drive if your computer gets stolen*.
You can access your keychains (Yes, you can have more than one. They can even have different passwords!) through a program called "Keychain Access", which can be found under /Library/Applications/Utilities/Keychain Access. From here you can:
- Look at what accounts you have passwords stored for
- View and/or change the password for an individual entry
- Add a new account/password entry for something arbitrary (like your voicemail pin number, for example)
- Add/view "secure notes" that can contain things like your bank account information, credit card number, etc...
- Keep track of both public and private RSA/DSA certificates
Your keychains are stored in the Keychains folder in your Library. To back it up, simply back up that directory.
Trackback from your own site.
Entries (ATOM/RSS)
Tuesday, January 31, 2006
"The password is only trivially encrypted on the hard disk." - you say this about Firefox passwords. I was under the impression that Firefox uses strong encryption when you set a master password, apparently triple DES; based on this and this.
Tuesday, January 31, 2006
I stand corrected. Thanks for the information and links!
Monday, February 13, 2006
You didn't mention Camino (http://www.caminobrowser.org/) that has the os x native interface, mozilla rendering engine and adds the username/passwords to OS X's keychain. -Shree
Sunday, March 26, 2006
hey there. i was curious, what if I am trying to see a list of my passwords and usernames I have saved automatically through using mozilla firefox on my mac running 10.4.5? I checked out the keychains utility and I saw no entries for Firefox. I am new to picking my mac apart. perhaps you can help. thanks. my email is [Omitted]
Monday, March 27, 2006
Bill, Firefox does not use the MacOS Keychain utility for storing passwords–which is one of the reasons I don't use it.
Tuesday, May 23, 2006
...what I would love to see is either Firefox add Keychain capabilities (as Shree noted, the ability is, at least, in 'the family' so someone has added it at some point) or for someone to come out with a little haxie that would capture and enter. As a matter of fact, I found this particular page as the first Google hit with "Firefox Apple Keychain" in looking for just such a little hack or utility.
The number of websites requiring a user name and a password just to download shareware or enter a comment just keeps growing: I prefer to keep the same user name and so each time I choose a new password, I allow Password Assistant to do the choosing which means that, at some point, I'll be opening Keychain Access anyway (now if Safari had Password Assistant sort o directly tied in, I might consider trying to make the switch again...) so I do store everything in Keychain: but using it with Firefox is very much like using a notepad rather than using it for its intended purpose (and definitely not a good use of its power).
Perhaps it's time to begin a mass emailing to the good folks working on the Firefox/Mozilla team and asking for Keychain compatibility?
Saturday, July 8, 2006
I wouldn't hold your breath waiting for Firefox to support the keychain. I have heard that they will support it in version 3, but I have also heard that they will never support it because Firefox holds cross-platform compatibility as one of its most important features.
I decided to stop waiting and wrote it myself. 1Passwd provides an extension for Firefox that will add a new toolbar to allow Firefox to store passwords and forms into the Keychain. It also adds Safari's AutoFill goodness to Firefox, as well as a strong password generator.
Since 1Passwd uses the centralized keychain and provides extensions to Safari, Firefox, Flock, and Camino. This allows you to switch browsers without manually syncing your passwords.
Sunday, July 9, 2006
Sweet!
Tuesday, September 26, 2006
I'm still a bit confused about Keychain and wish someone would write a guide about how to use properly. I find it a bit worrying as I have a powerbook here at home connected wirelessly to the internet. When friends come round, they want to play my music and surf the internet, which is fine. But one of my friends who'd never used a mac was looking around, asking me what kind of control panels there were etc, and opened Keychain to see what it was. He was then presented with a comprehensive list of all my usernames and passwords for everything from my bank to my email accounts.
Having never really looked at Keychain I was pretty shocked. I changed the password to access it, but now I get five or six messages pop up whenever I log in asking for various applications to access my Keychain. I have no idea how to use it properly - does anyone know of a decent guide for me?
Saturday, January 13, 2007
Your application does look tremendously useful, but why didn't you consider releasing it as open source, and accept donations?
Many people, myself included, are much more inclined to try it out, and send along money if we find it useful, if the money bit is not mandatory.
Plus, I would not consider a program that interfaces directly with my keychain in this way, from an unknown vendor. This is where open source would be a tremendous benefit, in providing peer review.
Also, folks could then add support for applications not supported "out of the box". Although a robust plugin API would also deal with that, but you still wouldn't have the peer review.
Sorry for responding to such an old thread, but I've been looking for something like this for a while. I will not be choosing your product, though, due to its closed source nature, when dealing with my sensitive data.
This comment is not at all meant to be disparaging, and I offer apologies in advance if it seems so. It's intended purely as constructive criticism.
Wednesday, January 24, 2007
Robert,
The MacOS X Keychain is not “my application”. I have absolutely no influence regarding it being open sourced or otherwise. I haven't even started working at Apple yet, and when I do I won't be working on the MacOS X Keychain.
Since I will be working at Apple soon, my ability to comment further on this subject is a bit limited, but I just wanted to say that as my personal opinion I agree with your premise.
Sunday, February 25, 2007
I am new to Mac and have one very big problem with Key chain access which is it asks me for my password all the time but never accepts it. It wants my login password but always says it is wrong even though it works to log on to my mac. Does anyone know how to reset or fix it?. Thanks for any help
Monday, February 26, 2007
David,
It sounds like your keychain password has somehow gotten out of sync with your login password. Have you changed your password recently? If so, try using that password.
There is no way to recover a lost keychain password. If you cannot figure out the password for your login keychain, you will need to reset your keychain.
Open up keychain access, and go to Preferences (COMMAND-,). From the General tab you should se a button 'Reset my Keychain'.
I hope this helps!
Sunday, August 3, 2008
This is an older thread, but a Google search brought me here when I was trying to figure out what encryption Keychain used. I too assumed it was AES, but according to this site:
http://static.agilewebsolutions.com/1password/user_guide/encryption.html
it's Triple-DES. Considering the source – and that's it's a "statement against interest"(I'm sure they would rather claim it was AES) – I'm inclined to think this is the correct answer.
Sunday, August 3, 2008
Fixed. Thanks!
Saturday, September 12, 2009
For those who find this page via Google and are interested, I created a Firefox extension that adds Keychain support. It's available here:
http://addons.mozilla.org/en-US/firefox/addon/13509/
Hope people find it useful.
Saturday, September 12, 2009
Thanks for the link, Julian! That sounds like a very useful plugin.