How to better manage passwords with Keychain Access
By Topher Kessler
If you’ve ever encountered a dialog box that, upon asking for a password, offers to store it, you’ve had a brush with OS X’s keychain. And perhaps you think that’s all it’s good for—storing your web, email, and network passwords. While it can do all that, the keychain and its partner, Keychain Access, offer additional password-related options you should be aware of. Here’s how to put these options to best use.
Retrieving saved passwords
Since the keychain holds your passwords, it’s hardly a leap to believe it can be used to retrieve them. However, since it does so automatically, you may so rarely interact with your passwords that you forget them. This is particularly so if you use Apple’s password generation tools, which create passwords difficult to remember. Should you need to retrieve your password, you can easily do so with two options using Keychain Access.
The first is to launch Keychain Access (found in /Applications/Utilities) and search for your desired service—gmail.com, for example. Double-click the keychain entry to open it and then enable the Show Password option. When prompted, enter the username and password associated with the login keychain and click Allow. The password will appear in the appropriate field.
In addition to this approach, you can copy a password to the clipboard by selecting Edit > Copy Password to Clipboard (or press Shift-Command-C or right-click on the item). Again, you’ll be prompted for the username and password for the login keychain. Once the password is in the clipboard you can paste it where you need it.
Troubleshooting password management
Beyond password storage and retrieval, Keychain Access allows you to troubleshoot problems you may have with passwords on your Mac. If you find that an app repeatedly prompts you for a password when you’ve already added it to the keychain, something in the keychain may not be right. To fix this, you have two general options in Keychain Access.
Check the health of your keychain by selecting it in the Keychain Access sidebar and then choose Keychain First Aid from the Keychain Access application menu (or press Shift-Command-A). The panel that appears can be used to repair your keychain file.
You can also remove individual keychain entries, which can be done by selecting the one (or ones) associated with your problematic accounts or services, and then deleting them so OS X can re-create them. This can also be useful for removing duplicate keychain entries for the same account, which may prevent services from retrieving the correct password and then prompting you to supply it.
Beyond the basics
These options are fine for general use, but there are additional options in the keychain that might be helpful for handling your passwords and securing them.
Locking your keychain. By default, your Mac manages all of your passwords in the login keychain, which is unlocked when you log in (and locked when you log out). But suppose you want to lock your keychain while still logged in. You can, of course, configure the Security & Privacy system preference so that the keychain locks when you put the Mac to sleep or the screen saver begins. But Keychain Access provides you with additional options. Using its advanced options you can auto-lock your login keychain.
To auto-lock your keychain just select it in Keychain Access and choose Edit > Change Settings for Keychain [“name of keychain”]. This will allow you to set a separate timer for locking your keychain. If you don’t want to lock it automatically but want the freedom to do so manually, open Keychain Access’ preferences and, in the General tab, enable the Show Keychain Status In Menu Bar option. From this menu you can then choose Lock Keychain.
Creating additional keychains. Sometimes having just one keychain isn’t enough, particularly if you want to log into your Mac without granting access to all of your services. To do this, choose File > New Keychain to create a new keychain and then drag specific password items from your login keychain to this new one (and authenticating when prompted). As with your login keychain you can change this keychain’s settings and lock it from the Keychain Status menu.
While the use of separate keychains may seem odd at first, it can be helpful if you use your Mac for different tasks in the same work environment. For example, if you have special network shares that you use only periodically and wish to keep unmounted and unavailable most of the time, you can create a separate keychain to store the passwords for these shared folders. With such a setup, you can still access your email and other online services using your account’s login keychain, and then unlock the separate keychain using the Keychain Status menu whenever you need to access your special network shares.
And on beyond
And there’s more. Password-centric though Keychain Access may appear, it has other talents—syncing iCloud keychain items, creating secure notes, and managing certificates. While its benefits may be lost on casual Mac users, those who have more advanced skills should spend some time with it, if only to explore the many ways your Mac helps secure your data and personal information.