How to manage passwords with Keychain Access

In the innocent days of our computing youth, many of us had to memorize just one password—the one we used to send and retrieve our email over a glacially slow dial-up connection. User-account passwords? For geeks. Shopping-site passwords? What shopping sites? iTunes Store? App Store? Mac App Store? Didn't exist.

In what may seem like a step backward, we now juggle dozens of passwords. We have passwords for logging on to our Macs, accessing our iOS devices, checking our email, receiving instant messages and texts, purchasing real and virtual goods, yacking on social networking services, streaming music and movies—the list goes on and on.

Fortunately, we no longer need to scribble down each and every password on a hunk of binder paper that we tape to our desks in plain sight. Our Macs can store these passwords and, in many cases, automatically fill them in when needed. But there’s more to know about passwords and the Mac's ability to store them than the simple fact that they exist. Here's a quick guide to what you can—and can’t—do with OS X’s passwords.

Keychains are key

Ever since Mac OS 8.6, the Mac has managed passwords with Keychain, Apple’s password-management system. The Keychain Access application (/Applications/Utilities) is a front-end to that system. It stores a wide variety of items—including passwords for email, websites, servers, network shares, Wi-Fi networks, and encrypted disk images. Additionally, it can store secure notes, private keys, and certificates. Whenever you save a password—whether you're prompted by an application or you're saving a website’s password—it’s stored in the Mac’s keychain.

The Mac places keychain files in multiple locations—/System/Library/Keychains, /Library/Keychains, and youruserfolder/Library/Keychains. Thankfully, the contents of these various keychain files are combined into Keychain Access, so that you needn't worry about where they're held.

Launch Keychain Access, and you’ll see that the window is divided into three panes. The top-left pane lists keychains accessible to you. Below this is the Category pane. Here you can choose to view specific kinds of things stored in the keychain—passwords, secure notes, certificates associated with your account, encryption keys, and certificates used broadly by your Mac. The largest pane, to the right, displays the contents of selected category items—for example, all of the items that have a password associated with them. Except in the case of certificates, you can double-click on one of these items to open a window where you can view the item’s attributes—name, kind, associated account, location (a website or network address)—as well as its access control (meaning the applications and services allowed to access the item).

Recover passwords

Keychain Access can do several useful things. For example, if you’ve forgotten a password and would like to recover it, Keychain Access is the place to go. To learn the identity of a password, select All Items or Passwords in the Category pane, then find the the item you want the password for and double-click it.

Double-click a keychain item to locate the Show Password option.

In the resulting window, enable the Show Password option. You’ll be prompted for the password for the login keychain. Enter that and click Allow, and the password will be revealed in the Password field.

If you seek only to recover saved website passwords and are running Safari under Mountain Lion, your task is easier. Launch Safari, open Safari’s preferences, and click the Passwords tab. All the websites for which you’ve saved passwords in Safari will appear in a list. Enable the Show Passwords option and enter your login password when prompted. Passwords will be listed to the right of each site.

You can also remove website passwords here. Just select the site you want to delete and click the Remove button. Or, to remove all remembered passwords, click Remove All.

Change the login keychain’s password

When you first set up a user account, the login password used for that account is additionally assigned to the login keychain, where new passwords are stored by default. So you can simply enter the password you use with your account to uncover a keychain item's secrets.

If there’s a flaw in the Keychain Access security setup, this is it. If someone knows your account’s password, they can access the items in this keychain and then discover your other passwords. If you’re concerned about that, you can easily change the password for the Login keychain.

In Keychain Access select the login keychain and choose Edit > Change Password For Keychain "login". You’ll be prompted to enter your current password (the one you now use for your user account) and then enter and verify a new password. Do this, log out of your account and then back in; when the Mac needs to use one of the passwords stored in the login keychain, you’ll be prompted to enter it. As long as you’re logged in, you shouldn’t be troubled for that password again.

Auto-lock the keychain

By default, once you’ve logged in, your keychain will be unlocked, which isn’t terribly secure if others can access your Mac when you’re not around. You can add a level of security that auto-locks your keychain. To do that, launch Keychain Access, select your login keychain, and choose Edit > Change Settings for Keychain “login”.

The sheet that appears shows two options: 'Lock After X Minutes of Inactivity' and 'Lock When Sleeping'. If you choose the first option and configure it to read something like 5 minutes, your keychain will lock if it hasn’t been accessed in the last five minutes. If an application needs access to your keychain after that limit has expired, you’ll be prompted for your login keychain password. Additionally, enable the Lock When Sleeping option, and your keychain locks when your Mac goes to sleep (when you close your MacBook’s lid, for example). Click Save to implement the selected options.

If you forget

You’ve changed the login keychain’s password and, regrettably, forgotten the new password. Is there any hope? Regrettably, no. Apple uses the Triple Digital Encryption Security standard (3DES) to secure the keychain. While not the most modern encryption scheme, it’s quite secure for everyday users—in this case, you. Unless you can recall your password, you’re out of luck and must start over. To begin that process, we’ll make a copy of the old keychain for safekeeping, in case you remember its password; we'll remove it from Keychain Access; and then we'll create a new login keychain that you’ll use in the future.

To do that, move to the Finder, select Go > Go to Folder, and enter ~/Library/Keychains. A Keychains folder containing your personal keychains will open. Locate the login.keychain file and drag it to a safe place on your Mac (the Documents folder, for example).

Now launch Keychain Access and select the login item that appears in the Keychains pane. It should appear as an empty box, indicating that it’s missing from the Keychains folder. Choose File > Delete Keychain “login". In the sheet that appears, click Delete References.

Deleting a keychain.

Now choose File > New Keychain. In the resulting Save dialog box, name the new keychain login and save it to the default location (which is your account’s Keychains folder). You’ll be prompted to create and verify a password for this keychain. (Be sure to choose a password that you’ll remember this time.) From this point forward, passwords that you add will appear in this keychain. And, yes, you’ll have to reenter any passwords stored in the old keychain when prompted.

Should the day come when your old password suddenly dawns on you, do this: In the Finder, open that Keychains folder and remove the current login.keychain file and put it in a safe place. Locate the old keychain whose password you’d forgotten and place it in this folder. Log out of your account and then back into it. In all likelihood you’ll be prompted for the password for your keychain by some startup item. When you are, enter the password and the keychain will be unlocked.

Share your login keychain

If you have multiple Macs, each one has its own login keychain with its own set of passwords. Wouldn’t it be great if each Mac had access to the same keychain? They can. Like so:

Make a copy of the login.keychain file inside the Keychains folder on the Mac that has the most complete set of passwords, and copy it to your other Macs. Remove the login.keychain file from each Mac’s Keychains folders and put it in a safe place in case something goes wrong. Place the copied login keychain file within the user’s Keychains folder. Log out and log back in. If your login password on the Mac you’re currently using is different than the one on this master Mac, you’ll be prompted for the login keychain’s password. Once you enter it, you should have access to the same passwords as that master Mac.

Subscribe to the MacWeek Newsletter

Comments