TweetFollow Us on Twitter

All Keyed Up

Volume Number: 21
Issue Number: 10
Column Tag: Programming

All Keyed Up

Up Close and Personal With the Keychain: A First Look

by Ilene Hoffman

Our Own Little Corner of the Directory

As your car and house keys provide you access to your stuff behind closed doors, so does the keychain in Mac OS X. A keychain is Apple's designation for a file used to store your passwords, i.e. it is a container for changeable data, where you "write" passwords and save them in a secure file format. These are passwords you created to access software, instant message accounts, mail accounts, web sites, remote servers, such as AppleShare servers, database servers plus other types of personal information you don't want to forget. When a keychain is unlocked, you no longer have to remember or even type in a requested password for any item you've stored in a keychain. You can create as many different keychains as you like and can name them to differentiate the content, according to your personal preferences. The items in a keychain are keys that encrypt or decrypt data. Each keychain can hold as many passwords or keys as needed.

Unless you're some flavor of system or network administrator or your significant other has broken into your coveted system, the keychain is of little concern to you - it just works. In fact, the most common question received from my small business clients is: How do I turn off the keychain? Before you jump the gun and disable this too often maligned system utility, let's take a closer look at its use, functions, and benefits. Remember it is the only place Apple gives you to securely store all your private information.

When you start-up and log-in to with your own password Mac OS X your preferences, customized environment and your keychains are loaded. The main or default keychain, named login, is unlocked automatically. If you set up a .Mac email account when you set up your machine, that password is also stored in the login keychain. Any passwords you add to that keychain are available to you when you log in, so you should be careful if you leave your machine unattended in a populated environment. This is because your passwords are available to any stored item. Logging out of your user account locks the keychain or, if you prefer, you can set Automatic Locking, which is discussed below. For enhanced protection you can change your login keychain password, so that it is not unlocked at startup.


Figure 1. Accessing password-protected services using a keychain

(Source: Enabling Secure Storage With Keychain Services, (c) 2004 Apple Computer, Inc., page 10.)

Keychain Access

The application Keychain Access, found inside the Utilities folder inside your Applications folder, is used to add, delete, and edit keys and keychains. You can also create new keychains, change the default keychain, or troubleshoot keychains. When you first open the application, you see your login keychain with a list of all of its stored passwords, a toolbar, and buttons to view each password key's attributes and access control.

When you first launch Keychain Access you see the login keychain with each of the default keys already entered. Any email address you entered when you set up Mac OS X is entered into the login keychain. In Figure 2, you can see an Earthlink address is active. The toolbar contains buttons to add a new Password, create a Note, Delete a key, Go to a web site, and Lock (or Unlock) the whole Keychain. Click Show Keychains to open a drawer to view all your keychains. The drawer has a nice feature where, if you can run your mouse over the name and location, the path to the keychain appears.


Figure 2. Keychain Acess Window

Each key includes a name , the kind of password, and its creation and modification date in a list view, as seen in Figure 2. When you choose an item (click once) the Delete button activates, so removing a key is easy. A dialog appears with a Delete button to confirm the action. Any item that contains the @ sign signifies that a web-related application is opened when you select the key and press the Go button. Applications include web browsers, email, and ftp applications.

Use the Attributes and Access Control buttons to view more information or edit a key. As seen in Figure 3 below, under the Attributes button you can change or edit any of the items, although some items add information automatically which is useful, such as the Comments for Safari's Forms Autofill utility. Generally, editing these items is not encouraged. A checkbox to Show Password is helpful, but leaving it unchecked is recommended. If you prefer to paste in your password manually, click the Copy Password to Clipboard button. If you do change any information, don't forget to Save Changes. The Comments area is especially useful as it allows you want to make notes on an account.


Figure 3. Attributes in Keychain Acess Window

Access Control is one of the areas that allow you control over when you are prompted for your password(s). As I tell my clients, if you don't want to be bothered with password dialogs, check Access Control to make sure the radio button Allow all applications to access this item is selected. If you want a more secure system, select Confirm before allowing access, so that applications will request your input, and, for an additional layer of security, add the checkbox Ask for Keychain password. You can also use the`Add button and exempt some applications from requesting a password. When you change the permissions for any item, you must Confirm Access to Keychain and type in your Keychain password. Figure 4 shows a Safari Forms AutoFill key that requires a confirmation before any application other than Safari can access the stored information. Remember that the Finder is just another application in Mac OS X.


Figure 4. Access Control in Keychain Acess Window

Create and Use New Keychains

If you think about it, it makes more sense in an environment where a lot of other people are running around to have at least one other keychain that isn't opened automatically when you boot up. So, just how do you create those secondary keychains? Keychain Access, of course! The steps are simply: Launch Keychain Access, choose New Keychain from the File menu, name the keychain, choose where to save it, and click Create. You will be asked to enter and verify a password for that new keychain. If you don't specify saving the keychain in another location, it is stored by default as the follows: (~/Library/Keychains). After you click Create you choose a password for the keychain and that's it, or is it?

Hidden Cool Resources

There are some very useful resources tucked away behind some innocuous buttons in the New Keychain Password dialog. The blue Details button shows information on the location of your new keychain, plus the application associated with it (in this case, Keychain Access.app). Details appear in a number of the dialogs in Keychain Access. The question mark button in the Password dialog takes you to a Mac Help screen on how to choose good passwords.


Figure 5. The New Keychain Password Dialog with the Open Password Assistant

An even better resource is the Password Assistant. Click on the i button and the Assistant rates the quality of your password. In Figure 5, you can see that when I type my own name as the password it returns a low quality(6.5) because the password is not only too short, but very easy to guess. In fact, because it is under six characters , Mac OS X won't let me use my name as the password. When you've chosen a good password, the quality rating goes as high as 10% and the bar turns from red to green. As one network administrator friend of mine commented upon first seeing this help screen: "Wow, this is really helpful."

Multiple Keychains

To view all your keychains you can either select Show Keychains from the toolbar, which opens a Keychain drawer, or choose Show Keychains from the View menu, the keyboard short cut is command-shift- K.

You can also add a previously created keychain to your keychain list, even if the keychain was created on a different machine. To do this first move the keychain file to your computer and store it in your home directory ( ~/Library/Keychains). Second, open Keychain Access and choose Add Keychain... from the File menu. In the Open dialog navigate to the desired keychain and click Open. The keychain is now listed in the Keychain list.

Securing the Secure: Keychain Security

To help secure your machine, you can set each keychain lock preference separately. As noted above this helps protect prying eyes from accessing your information by mistake. You can lock your keychain manually, set it to lock after a specified amount of time or require applications to request access, as stated above. To make changes open Keychain Access, click on the keychain you want to change in the Keychains drawer, and choose Change Settings for Keychain from the Edit menu. The prompt to unlock your keychain appears, and after you type your password, the Change Keychain Settings dialog comes up.


Figure 6. Change Keychain Settings

As can be seen in Figure 6, check boxes make setting locking preferences easy. You can set a keychain to lock after any number of idle minutes and/ or you can Lock a keychain when your machine goes to sleep.

Remember that you can also change settings for a specific key in the Access Control pane, as detailed in the Keychain Access section above.

NOTE: If you find you need to access your keychains often, you can display an icon in your menu bar to open Keychain Access and have immediate access to work with your keys. In Keychain Access, choose Show Status in Menu Bar from the View menu, and a lock icon appears in your menu bar.

Adding New Keys

You can add keys in one of two ways:

1. When you launch a password protected item, such as your FTP site from an FTP app such as Fetch, Transit, Anarchie, you may be prompted to save your password in a keychain. A checkbox labeled: Add to Keychain is built into some applications. Click the box and your key is automatically added to your login.keychain. (Note: An incorrect item can be added, so please check your Keychain if you press the OK button and discover that you've made a mistake.) Whether a password can be added from an open dialog is totally up to the program's developer. As you can see in Figure 7, AOL Instant Messenger prompts you to save your password in a keychain, as does iChat.


Figure 7. AOL Dialog within iChat with Keychain Access Checkbox

2. The second way to add a key is to open Keychain Access and click the Password button. The New Password Item dialog appears and you can manually type in all the information to access any password-protected account you own, as you can see in Figure8. A side note to info I find useful: These passwords do not have to be computer related, you can save bank account information, your bike lock, or your account and PIN numbers for all those credit cards you own. Remember, when you click the Show Typing checkbox you can see your actual password. When an application or item is not supported by Keychain Access, these password items work perfectly as a repository to save secret items. Again, it is a good idea to save these items in a keychain other than the login.keychain (it works better and is more secure than having sticky notes stuck all over your computer). Just remember to click on the keychain you'd like to use before you create your new key.


Figure 8. New Password Dialog

Keychain Repair: First Aid

If you find things aren't working as expected, Keychain First Aid, available from the Window menu of Keychain Access, helps you troubleshoot your keychain problems. The main window contains three useful buttons, Verify checks passwords, settings, and the contents of your keychains. The Repair radio button fixes any problems found in your keychains. The third Options button contains settings.


Figure 9. Keychain First Aid

Under the General Options you can clear previous logs created when you run Verify and Repair. In the unlikely event you've experienced keychain corruption, you can also Reset your selected keychain so that you can start over again. As stated in the dialog, your original keychain is moved, but not deleted.

The Expert Options allows you to set your login.keychain as the default and synchronize it when logging in. Best of all, for all those users who complain about the constant user password prompts, you can set your login keychain to remain unlocked, always!

Conclusion

As you've seen, Keychain Access is designed to protect your personal information, while providing you easy access to password protected items. Apple's Keychain Access Help is comprehensive and should be the first line place you turn when you have a question. If you want more technical information on security in Mac OS X or keychains, Apple's site has a number of informative documents:

Developer Resources


Ilene Hoffman, MS is a Macintosh/ Internet Consultant. She stole her first Mac from her Dad in 1984 after asking him to buy a PC. She's worked for a bunch of major Mac sites, written for many Mac-based publications, and regularly provides troubleshooting expertise to small businesses. Ilene and her dog can be found in the Boston area under a pile of really old Macs.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Fresh From the Land Down Under – The Tou...
After a two week hiatus, we are back with another episode of The TouchArcade Show. Eli is fresh off his trip to Australia, which according to him is very similar to America but more upside down. Also kangaroos all over. Other topics this week... | Read more »
TouchArcade Game of the Week: ‘Dungeon T...
I’m a little conflicted on this week’s pick. Pretty much everyone knows the legend of Dungeon Raid, the match-3 RPG hybrid that took the world by storm way back in 2011. Everyone at the time was obsessed with it, but for whatever reason the... | Read more »
SwitchArcade Round-Up: Reviews Featuring...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for July 19th, 2024. In today’s article, we finish up the week with the unusual appearance of a review. I’ve spent my time with Hot Lap Racing, and I’m ready to give my verdict. After... | Read more »
Draknek Interview: Alan Hazelden on Thin...
Ever since I played my first release from Draknek & Friends years ago, I knew I wanted to sit down with Alan Hazelden and chat about the team, puzzle games, and much more. | Read more »
The Latest ‘Marvel Snap’ OTA Update Buff...
I don’t know about all of you, my fellow Marvel Snap (Free) players, but these days when I see a balance update I find myself clenching my… teeth and bracing for the impact to my decks. They’ve been pretty spicy of late, after all. How will the... | Read more »
‘Honkai Star Rail’ Version 2.4 “Finest D...
HoYoverse just announced the Honkai Star Rail (Free) version 2.4 “Finest Duel Under the Pristine Blue" update alongside a surprising collaboration. Honkai Star Rail 2.4 follows the 2.3 “Farewell, Penacony" update. Read about that here. | Read more »
‘Vampire Survivors+’ on Apple Arcade Wil...
Earlier this month, Apple revealed that poncle’s excellent Vampire Survivors+ () would be heading to Apple Arcade as a new App Store Great. I reached out to poncle to check in on the DLC for Vampire Survivors+ because only the first two DLCs were... | Read more »
Homerun Clash 2: Legends Derby opens for...
Since launching in 2018, Homerun Clash has performed admirably for HAEGIN, racking up 12 million players all eager to prove they could be the next baseball champions. Well, the title will soon be up for grabs again, as Homerun Clash 2: Legends... | Read more »
‘Neverness to Everness’ Is a Free To Pla...
Perfect World Games and Hotta Studio (Tower of Fantasy) announced a new free to play open world RPG in the form of Neverness to Everness a few days ago (via Gematsu). Neverness to Everness has an urban setting, and the two reveal trailers for it... | Read more »
Meditative Puzzler ‘Ouros’ Coming to iOS...
Ouros is a mediative puzzle game from developer Michael Kamm that launched on PC just a couple of months back, and today it has been revealed that the title is now heading to iOS and Android devices next month. Which is good news I say because this... | Read more »

Price Scanner via MacPrices.net

Amazon is still selling 16-inch MacBook Pros...
Prime Day in July is over, but Amazon is still selling 16-inch Apple MacBook Pros for $500-$600 off MSRP. Shipping is free. These are the lowest prices available this weekend for new 16″ Apple... Read more
Walmart continues to sell clearance 13-inch M...
Walmart continues to offer clearance, but new, Apple 13″ M1 MacBook Airs (8GB RAM, 256GB SSD) online for $699, $300 off original MSRP, in Space Gray, Silver, and Gold colors. These are new MacBooks... Read more
Apple is offering steep discounts, up to $600...
Apple has standard-configuration 16″ M3 Max MacBook Pros available, Certified Refurbished, starting at $2969 and ranging up to $600 off MSRP. Each model features a new outer case, shipping is free,... Read more
Save up to $480 with these 14-inch M3 Pro/M3...
Apple has 14″ M3 Pro and M3 Max MacBook Pros in stock today and available, Certified Refurbished, starting at $1699 and ranging up to $480 off MSRP. Each model features a new outer case, shipping is... Read more
Amazon has clearance 9th-generation WiFi iPad...
Amazon has Apple’s 9th generation 10.2″ WiFi iPads on sale for $80-$100 off MSRP, starting only $249. Their prices are the lowest available for new iPads anywhere: – 10″ 64GB WiFi iPad (Space Gray or... Read more
Apple is offering a $50 discount on 2nd-gener...
Apple has Certified Refurbished White and Midnight HomePods available for $249, Certified Refurbished. That’s $50 off MSRP and the lowest price currently available for a full-size Apple HomePod today... Read more
The latest MacBook Pro sale at Amazon: 16-inc...
Amazon is offering instant discounts on 16″ M3 Pro and 16″ M3 Max MacBook Pros ranging up to $400 off MSRP as part of their early July 4th sale. Shipping is free. These are the lowest prices... Read more
14-inch M3 Pro MacBook Pros with 36GB of RAM...
B&H Photo has 14″ M3 Pro MacBook Pros with 36GB of RAM and 512GB or 1TB SSDs in stock today and on sale for $200 off Apple’s MSRP, each including free 1-2 day shipping: – 14″ M3 Pro MacBook Pro (... Read more
14-inch M3 MacBook Pros with 16GB of RAM on s...
B&H Photo has 14″ M3 MacBook Pros with 16GB of RAM and 512GB or 1TB SSDs in stock today and on sale for $150-$200 off Apple’s MSRP, each including free 1-2 day shipping: – 14″ M3 MacBook Pro (... Read more
Amazon is offering $170-$200 discounts on new...
Amazon is offering a $170-$200 discount on every configuration and color of Apple’s M3-powered 15″ MacBook Airs. Prices start at $1129 for models with 8GB of RAM and 256GB of storage: – 15″ M3... Read more

Jobs Board

*Apple* Systems Engineer - Chenega Corporati...
…LLC,** a **Chenega Professional Services** ' company, is looking for a ** Apple Systems Engineer** to support the Information Technology Operations and Maintenance Read more
Solutions Engineer - *Apple* - SHI (United...
**Job Summary** An Apple Solution Engineer's primary role is tosupport SHI customers in their efforts to select, deploy, and manage Apple operating systems and Read more
*Apple* / Mac Administrator - JAMF Pro - Ame...
Amentum is seeking an ** Apple / Mac Administrator - JAMF Pro** to provide support with the Apple Ecosystem to include hardware and software to join our team and Read more
Operations Associate - *Apple* Blossom Mall...
Operations Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Cashier - *Apple* Blossom Mall - JCPenney (...
Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Mall Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.