the MacOS X Keychain

Sunday, January 1, 2006 by darco
Posted in , ,


The "Keychain Access" application that comes with MacOS X is one of the most useful tools that come with Macintosh computers, but it is also one of the most neglected. If you are a Mac user and don't know what this tool is or how to use it, read on.

The number of websites that I use on a regular basis that require a login ID and password is staggering, and I imagine that most of you reading this are in the same boat. Keeping track of all of these logins and passwords can be a nightmare, unless you just use the same password on just about all of them—which is sadly what most people end up doing.

Doing this is very bad. I cannot emphasize this enough. Once you enter in a password on a site, you have no idea how they handle it, how they store it, or who looked at it while it was in transit(assuming it wasn't sent over a secure connection). If your passwords are all the same, then one compromised account means all of your accounts are compromised. For many people, including myself, this would be catastrophic.

Web browsers like Firefox and Microsoft Internet Explorer will help you out in this department by remembering your login information to websites you visit, if you want them to. However, there are a few problems with this approach:

  1. The password is only trivially encrypted on the hard disk*. This means that if your computer is physically stolen or compromised, then nothing is stopping the perpetrator from harvesting all of your passwords. When someone steals a laptop, this is almost always what they are after–not the hardware.
  2. There is no easy way for the user to figure out what the password is for a particular site, because if there were such a mechanism it would be even more trivial for anyone to harvest all of the passwords on your machine.
  3. As a corollary to #2, there is no easy way to back up these passwords.

It is these problems that Apple's Keychain set out to solve, and it does so beautifully. From the MacOS X Security page:</p>

To make it easy to manage the daunting number of passwords and permissions intrinsic to network computing, Mac OS X includes a Keychain. The Keychain stores all your information to use encrypted disk images and to log onto file servers, FTP servers and Web servers. Mac OS X automatically adds your .Mac account information to your Keychain. When you log in to Mac OS X, the system opens your Keychain. You don't have to enter your user name and passwords to access this data. You can set Mac OS X to lock your Keychain when the system sleeps or is inactive for a time. The system will ask you for your password the next time you try to access secure data. Other users on the system cannot access your Keychain or its data.

Whenever you store a password on your Macintosh, wether it be for your iChat account, an encrypted disk image, or for a website, it gets stored in your keychain. By default, your keychain password is synchronized to your login password and unlocked whenever you log in. Because of these defaults, you are already making some use of the Keychain even if you have no idea what it is. The keychain data is always stored on the hard disk using strong AES 3DES encryption, so you don't have to worry about someone extracting the passwords off your hard drive if your computer gets stolen*.

You can access your keychains (Yes, you can have more than one. They can even have different passwords!) through a program called "Keychain Access", which can be found under /Library/Applications/Utilities/Keychain Access. From here you can:

  • Look at what accounts you have passwords stored for
  • View and/or change the password for an individual entry
  • Add a new account/password entry for something arbitrary (like your voicemail pin number, for example)
  • Add/view "secure notes" that can contain things like your bank account information, credit card number, etc...
  • Keep track of both public and private RSA/DSA certificates

Your keychains are stored in the Keychains folder in your Library. To back it up, simply back up that directory.