Mac OS X Unleashed

Mac OS X Unleashed

By John Ray and William C. Ray

Keychain Access

Using the Internet is a neverending struggle to keep track of passwords for e-mail servers, file servers, Web sites, and other private information. Since Mac OS 9.x, Apple has included a security application and API, called the Keychain, to make accessing your collection of passwords much easier.

The Keychain Access software (Path: /Applications/Utilities/Keychain Access) automatically stores passwords from Keychain-aware applications such as Mail and iTools. Users can also manually add their own passwords to the keychain. Later, the keychain can be unlocked to reveal the original cleartext password. By default, all users have their own keychain named the same as their username. Additional keychains can be created to store specific information, such as credit card numbers, PINs, and so on. Think of the keychain as a database of your most sensitive information, all accessible through your Mac OS X account password.

Automated Access

Launching Keychain Access displays the contents of your default keychain. For my account, named jray, this is a keychain named jray. For an account that has set up e-mail and iTools services, the Keychain Access window should look similar to that in Figure 7.61. There are three items listed: two for my e-mail account and its associated servers, and one for iTools.


Figure 7.61 The Keychain Access window displays a list of stored passwords and other information.

The obvious question is, "How did these items get here?" They were added by Mac OS X applications. Typically, when an application wants to store something in the keychain, you'll be given the option of storing it. For example, when accessing a site that requires HTTP authentication, the OmniWeb browser presents a dialog box as seen in Figure 7.62. Choosing the Remember name and password option automatically adds the entered password to the default keychain. Over time, your keychain could become populated with hundreds of items and you might not ever know it!


Figure 7.62 Applications can automatically add information to the default keychain.

When an application wants to access information from your keychain, it must first make sure that the keychain is unlocked. Your default Mac OS X keychain is automatically unlocked when you log in to your account, making its passwords accessible to the applications that stored them. To manually lock or unlock a keychain, click the Lock button in the upper-right corner of the Keychain Access window. The Keychain Access window, along with its Dock icon, will change to reflect its security status. If an application attempts to access information on a locked keychain, it will display a dialog, as shown in Figure 7.63. Entering the correct password (your account password for the default keychain) will unlock the keychain that your application is attempting to access.


Figure 7.63 If an application attempts to access data in a locked keychain, you will be prompted for the keychain's passphrase.

Even after a keychain is unlocked, an application might still need a bit more help before it can retrieve the information it needs from the keychain. Each stored piece of information can be controlled in a way that makes it accessible to only very specific applications. Mail passwords, for example, are only accessible by the Mail application. If a program you just downloaded off the Internet attempts to unlock your Web or e-mail passwords, you'll know something nefarious is afoot. Sometimes, usually after a system upgrade, you will have to re-educate your Mac OS X computer about what applications can access what passwords. This is an extremely simple process.

When the keychain notices an unauthorized application attempting to access a piece of information, it will prompt the user with an window similar to the one shown in Figure 7.64. Users can choose to deny the access, allow it only once (Allow Once), or allow the application to access the information whenever it wants (Always Allow). Before making a choice, you should always click the Details disclosure triangle to view which keychain is being accessed and which application wants the data. If you don't recognize the application, click Deny to disallow access.


Figure 7.64 Each application must be authorized to access a specific piece of information.

Manual Access

Users who want to access stored data, or manually add new information to a keychain, can do so through the Keychain Access program. Each item listed in the keychain window can be opened by selecting it, and then clicking the Get Info button, or simply by double- clicking the entry. Much as the Finder's Show Info window displays information about a file, the Get Info function of the keychain shows information about the stored data.

General Information

There are two panels of information for each keychain entry: General Information and Access control. These are selectable from the Show pop-up menu. General Information, as its name suggests, provides the basic information about the stored information. For example, Figure 7.65 shows the General Information for an IMAP password in my default keychain. The Kind field identifies the type of information, Where shows the resource that stored the information, Account displays the creating user account, and the Created/Modified fields display when the entry was added and last edited. Users can add any additional comments about the item by typing in the Comments field. Click the View Password button to display the password in cleartext. If you are viewing an entry that includes a URL, a Go There button is included in the display to take you to the remote resource.


Figure 7.65 The General Information panel displays what type of data is stored, and when it was added to the keychain.

Access Control

The Access Control panel of the Get Info function enables the user to pick and choose which applications can access a given piece of information in the keychain. Shown in Figure 7.66, the controls of this panel are very straightforward. Click Allow Access to this Item Without Warning to allow applications to transparently access the resource with no user interaction. You can further specify individual applications by clicking the Allow Access Only by These Applications and then using the Add and Remove buttons to add and remove applications from the list. If you prefer to allow any program to access the resource, click the Allow Access by Any Application radio button. Those who are truly security conscious can uncheck the Allow Access to This Item Without Warning check box to force all applications to first ask permission before retrieving a password.


Figure 7.66 Use the Access Control information panel to enable or disable an application's ability to retrieve information transparently from the keychain.

Adding New Entries

New pieces of information can be added to the keychain by clicking the Add button in the main Keychain window or choosing New Password Item from the File menu. This action will open a new window, shown in Figure 7.67, for entering the data to be stored. Enter the name or URL of the stored item in the Name field, the account name associated with the data in the Account field, and, finally, the sensitive data in the Password field. By default, the password is hidden as you type. To display the password as it is typed, click the Show Typing check box. Click Add when finished.


Figure 7.67 New items can easily be added manually to an existing keychain.

To remove any item from the keychain (either automatically or manually entered), select its name in the list, and then click the Remove button.

Managing Keychains

Each user account can have as many keychains as is needed. Choose Keychain List from the Edit menu to manage the keychain stored in your user account, the window shown in Figure 7.68 will appear.


Figure 7.68 Use the Keychain List to manage your available keychains.

As mentioned earlier, there is a single default keychain generated for each user account. New keychains can be created by clicking the New button in the keychain list window. You will be prompted for a name and save location for the keychain (the default is ~/Library/Keychains). Next, you will need to enter a passphrase that will unlock the new keychain. It's best to choose something different from your account password to prevent people who might gain access to your account from seeing your most sensitive information. If you'd like to add an existing keychain file (perhaps from your account on another Mac OS X machine), click Add, and then choose the keychain file on your drive.

When the new keychain is added or created within an account, you can switch to it by choosing its name from the Keychain menu. To remove a keychain from the system, highlight its name in the list, and then click Remove.

Keychain Settings

The Keychain Access application has no preferences, but it does allow some control over each keychain file, such as modifying the password that unlocks the keychain. To open the settings, open the appropriate keychain from the Keychain menu and then choose the Settings option from the Edit menu. You should see a new window, much like the one shown in Figure 7.69.


Figure 7.69 Set your keychains to lock after a certain length of time.

Within the settings window, you can use Lock after XX minutes of inactivity setting to force Mac OS X to lock a keychain if it isn't used for a certain length of time. Clicking Lock when the system sleeps will cause the keychain to be locked if the computer goes to sleep. Finally, click Change Passphrase to edit the password that unlocks the keychain. Press the Save button to save the settings for the keychain.

At this time, many applications don't yet take advantage of the keychain, but Apple is aggressively promoting this technology and it is slowly creeping into applications. I highly recommend that you take advantage of this application to help keep your passwords safe and easily accessible.


Keychain Access's menus give users the ability to switch between different keychains, and export keychains to other files. They provide the quickest means of accessing and managing additional keychains beyond the Mac OS X default chain.


Use the File menu to create new keychains and add new entries to them. The following options are available:

  • New Keychain (Command+N)— Create a new keychain file. You will be prompted for a passphrase to protect the keychain.
  • New Password Item— Enter a new password (or other piece of data) into the currently active keychain.
  • Lock (Command+L)— Lock the currently active keychain.
  • Lock All Keychains— Lock all of the open keychains.
  • Close Window (Command+W)— Close the active keychain window.
  • Get Info (Command+I)— Show the information about the selected keychain entry.
  • Export— Export the keychain data to another file.


The Edit menu contains two important entries in addition to the usual cut and paste: Keychain List and Settings. The Keychain List option opens a management window with all available keychains listed. The Settings option allows the user to change when the active keychain locks and what its passphrase is.


Use the Keychains menu to toggle between the different available keychains on the system. If you'd like to switch to a different default keychain (rather than the Mac OS X account default), this can be accomplished here as well.

+ Share This