A previous book by Joe, Take Control of Passwords in Mac OS X, Second Edition, published in 2009, looked at passwords on just the Mac and with an emphasis on Apple’s then-current operating system 10.6 Snow Leopard, with coverage of 10.5 Leopard and notes on 10.4 Tiger. That ebook had a chapter about using Apple’s keychain software in those versions of Mac OS X, and several readers have written to us, seeking that older information. We didn’t respond by sending them the older ebook, because too much of the advice and contextual information in that ebook is obsolete or even flat-out wrong, given how surprisingly sophisticated password cracking tools have become—and how much has changed beyond Mac OS X, such as the end of Apple’s MobileMe online service.
Even so, we were able to extract some (but not all) of the information about using the keychain in Snow Leopard and Leopard (and, sort of, Tiger). So, if keychain assistance in those older “Big Cat” versions of Mac OS X is what you seek, help is at hand below.
But, first, a caveat from the newer Take Control of Your Passwords:
Mac users may be familiar with the Keychain, a system-wide password manager built into Mac OS X. The Keychain can store passwords for servers you connect to in the Finder, Web sites you visit in Safari (if you enable that feature), and other devices and services. You can also add secure notes manually. To view or edit the contents of your keychain, open the Keychain Access app, found in
/Applications/Utilities.The Keychain works well enough for what it does, and almost every Mac user will want to use it for at least a few basic passwords—such as those for Wi-Fi base stations, encrypted disk images, and local network file servers—that would require manual entry and retrieval with any other password manager. But because you can’t access your keychain on any other devices (not even your iPhone), and because Keychain Access is rather cumbersome to use even on your Mac, I don’t recommend using the Keychain as an all-purpose password manager. Because it serves an important purpose, however, I recommend using a strong password to secure your keychain. By default, your keychain uses the same login password as your Mac OS X user account, which means that as long as you’re logged in, your keychain is unlocked. If you prefer to use a different password for your keychain—so you can keep it locked until you need it—open Keychain Access, select your login keychain, and choose Edit > Change Password for Keychain “login”…. Enter your current password, enter and verify your new password, and click OK.
And now, on to the older text.
Keychains
Since the days of Mac OS 9, Apple has provided a system-wide repository for each user that stores all of that person’s usernames and the passwords associated with them; this repository is called a keychain. The idea is that instead of having to remember (and manually enter) dozens or hundreds of usernames and passwords individually, you let the keychain remember (and enter) them for you. The keychain itself is encrypted and protected by a password. By entering just that one password, you unlock all the passwords inside the keychain; the system then hands them to applications, network servers, or other resources as necessary. Not all applications that use passwords are designed to support the keychain, but most do.
All chained up: Although I use the word keychain in the singular (as does Mac OS X in most cases), you can have more than one keychain.
Whenever someone creates a user account, Mac OS X creates a keychain named “login” for that account. (In some earlier versions of Mac OS X, this keychain was given a name matching the user’s short name—for example, johnsmith. If you had such a keychain in the past and either updated Mac OS X or copied your user data from one machine to another, your current keychain may still have that name.) Normally, this is your default keychain, and the only one you’ll interact with regularly.
Here’s an example of how a keychain can work: Suppose you have two Macs networked together, and one of them has File Sharing turned on. When you go to the other Mac, the first Mac appears in the Finder’s sidebar under “Shared.” You select its icon and click Connect. An authentication dialog appears.
When you check Remember This Password in My Keychain and click Connect, Mac OS X adds the username and password to your default keychain.
After selecting Registered User and entering a valid username and password for the computer to which you’re connecting, you check Remember This Password in My Keychain and click Connect. Behind the scenes, Mac OS X makes a new keychain entry containing the address of the Mac you’re connecting to and the username and password you need to connect to that Mac. Assuming your keychain is unlocked, the next time the authentication dialog appears for this server, it’s already filled in; you need only click Connect. (Had you not checked Remember This Password in My Keychain earlier, you would have been presented with blank Name and Password fields to fill in manually.)
By default, your keychain password is the same as your login password. Upon login, if your keychain is named “login” (or has the same name as your username) and your login password is the same as your keychain password, your keychain is unlocked automatically. Of course, by default, Mac OS X also logs you in automatically when you turn on your computer. In other words, unless you change those default settings, your keychain is unlocked every time you turn on your computer—not a terribly secure situation! Therefore, unless you use your computer only in a setting where other people can’t physically access it, I recommend changing your keychain password so that it’s different from your login password (described below) and turning off automatic login.
You can turn off automatic login in the Accounts preference pane: click the lock and authenticate with an administrator password; then click Login Options and choose Disabled from the Automatic Login pop-up menu (in Leopard or Snow Leopard) or uncheck Automatically Log In As (in Tiger). Or, open the Security preference pane (and then, in Leopard or Snow Leopard, go to the General view) and check Disable Automatic Login.
View Your Passwords
Over time, as you fill out forms on Web pages, connect to file servers and wireless networks, and use software that requires access to your keychain, you’ll accumulate many passwords. You may occasionally need to know a password (as opposed to having it entered for you), so the Keychain Access utility lets you view your passwords.
The passwords (along with certificates, secure notes, and other key-chain items) appear in a list. As with most lists, you can click a column heading to sort by that heading; click a second time to reverse the sort order. If you’re unable to locate a certain password by name, you can use either or both of two shortcuts:
- Click an item in the Category list on the left to show only items in that category. (Note that Passwords has three subcategories.)
- Enter part of a domain name, username, or application name in the Spotlight search field in the upper right of the window to look for matching items. (Spotlight can see the items’ names and account information, but not your passwords themselves.)
Once you’ve located the item that you’re looking for, double-click it to open it in a new window.
To see the password associated with the item, check the Show Password checkbox. In the access confirmation dialog that appears, enter your keychain password and click either Always Allow (to prevent this dialog from appearing again for this particular item) or Allow (to display the password but require entry of your keychain password if this item is opened again in the future).
Delete Passwords
If you’ve canceled an account or for some other reason no longer want your keychain to remember a password, you can delete the password. Simply select it and either press Delete or choose Edit > Delete. Confirm the deletion by clicking the Delete button.
Another reason for deleting passwords is duplicates. For example, suppose you fill out a Web form with a username and password and ask Safari to remember them in your keychain; then the Web site displays an error message and you realize you entered the wrong username. You try again, and this time you succeed. Now your keychain has two separate entries, one for each username you entered! If, while scanning your keychain, you notice such duplicates, feel free to delete the wrong one (usually the one with the earlier modification date). On the other hand, having extra entries does no harm, because by default Mac OS X uses the most recent entry for any given URL.
Change Your Keychain Password
If you want to use a different password for your keychain than for login (or simply want to change it periodically on principle), you can do so easily. Select the keychain in Keychain Access and choose Edit > Change Password for Keychain “keychain-name”. Enter the current password, enter and verify a new password, and click the OK button.
Make Keychain “keychain-name” Default.
Use the Keychain Menu
Keychain Access contains one last option I want to tell you about: the Keychain menu. With this menu enabled, you see a lock icon in your menu bar. Clicking this icon displays a menu that lets you lock or unlock keychains quickly, among other tasks.
To enable the Keychain menu, choose Keychain Access > Preferences, click General, and check the Show Status in Menu Bar checkbox.