The Mac OS X Keychain

This week we have a high-quality excerpt from the new ebook, "Take
Control of Passwords in OS X," written by Joe Kissell. The blurb
reads "If you've ever found yourself confused by all the passwords
your Mac asks you for, or anxious about your level of password
security, you should read this book." So, without further ado, read
away!

The Mac OS X Keychain
by Joe Kissell

[Excerpted from "Take Control of Passwords in OS X]

Since the days of Mac OS 9, Apple has provided a systemwide
repository for each user (identified by Mac OS user name), in which
all of that person's user names and their associated passwords are
stored; this repository is called a keychain. The idea is that
instead of having to remember (and manually enter) dozens or hundreds
of user names and passwords individually, you let the keychain
remember (and enter) them for you. The keychain itself is encrypted
and protected by a password. By entering just that one password, you
unlock all the passwords inside the keychain; the system then hands
them to applications, network servers, or other resources as
necessary. Not all applications that use passwords are designed to
support the keychain, but most do.

(Although I use the word keychain in the singular - as does Mac OS X
in most cases - you can have more than one keychain. I discuss the
variety of keychains, and issues involving the use of multiple
keychains, in the full ebook.)

Whenever someone creates a user account, Mac OS X creates a keychain
named "login" for that account. (In some earlier versions of Mac OS
X, this keychain was given a name matching the user's short name -
for example, johnsmith. If you had such a keychain in the past and
either updated Mac OS X or copied your user data from one machine to
another, your current keychain may still have that name.) Normally,
this is your default keychain, and the only one you'll interact with
regularly.

Here's an example of how a keychain can work: Suppose you have two
Macs networked together, and one of them has Personal File Sharing
turned on. When you go to the other Mac, you click the Network icon
in your Finder's sidebar and the first Mac appears in the list. You
select its icon and click Connect. An authentication dialog appears.
After selecting Registered User and entering a valid user name and
password for the computer to which you're connecting, you select
Remember Password in Keychain and click Connect.

Behind the scenes, Mac OS X makes a new keychain entry containing the
address of the Mac you're connecting to and the user name and
password you need to connect to that Mac. Assuming your keychain is
unlocked, the next time the authentication dialog appears for this
server, it's already filled in; you need only click Connect. (Had you
not selected Remember Password in Keychain earlier, you would have
been presented with blank Name and Password fields to fill in manually.)

By default, your keychain password is the same as your login
password. Upon login, if your keychain is named "login" (or has the
same name as your user name) and your login password is the same as
your keychain password, your keychain is unlocked automatically. Of
course, by default, Mac OS X also logs you in automatically when you
turn on your computer. In other words, unless you change those
default settings, your keychain is unlocked every time you turn on
your computer - not a terribly secure situation! Therefore, unless
you use your computer only in a setting where other people can't
physically access it, I recommend changing your keychain password so
that it's different from your login password and turning off
automatic login.

Note that your keychain interacts with most parts of Mac OS X, but
since you can't access it until you've logged in, it can't
automatically fill in your login password or firmware password. You
can enter those passwords in your keychain manually if you want to,
simply to have a secure place to keep them.


**Choose and Set a Keychain Password** -- Because your keychain
protects all your other passwords, your keychain password should be
the strongest one you have - in other words, at least as strong as
any other password in the keychain. If your keychain password is less
secure than it should be, you can change it in either of two ways:

* Change your login password. If your keychain password is identical
to your login password, changing your login password also changes
your keychain password to match.

* Change your keychain password independently.


**Use Your Keychain Password** -- Mac OS X adds user names and
passwords to your default keychain every time you enter them when the
Remember Password in Keychain checkbox is selected. You can also add
them manually.

At login, Mac OS X tries to unlock your default keychain. If you've
created other keychains and the default keychain is not "login" (or
the one matching your user name), a prompt appears asking for the
default keychain's password.

Even if your keychain unlocks automatically at login (because its
password is the same as your login password), you can still lock or
unlock it manually at any time, in either of the following ways:

* If the Keychain ( ) menu appears in your menu bar, choose Lock
Keychain "keychain-name" (or Lock All Keychains) from that menu to
lock it; choose Unlock Keychain "keychain-name" to unlock it. If this
menu does not appear in your menu bar, you can add it.

* Open Keychain Access (in /Applications/Utilities). If the Keychains
list is not showing on the upper left in the window, click the Show
Keychains button at the bottom left. Select your keychain in this
list; then choose File > Lock Keychain "keychain-name".

You can also set a keychain to lock automatically after a given
period of inactivity, when your computer goes to sleep, or both. In
either case, Mac OS X prompts you to unlock the keychain the next
time it's required to access some resource.

Most of your interaction with your keychain will involve locking or
unlocking it, and agreeing (or not) to have various passwords stored
there. However, you can do a great deal more with your keychain using
the Keychain Access utility, which I cover in the full ebook in detail.

Purchase the entire "Take Control of Passwords in OS X" ebook here:

http://www.takecontrolbooks.com/passwords-macosx.html

See all Take Control ebooks here:

http://www.smalldog.com/takecontrol.html

Remember, when you buy a Take Control ebook from Take Control, you
will get a $5.00 coupon good for any purchase from Small Dog
Electronics!

Posted by Cyndi