Password? What password?
Here's a conundrum: last time you switched on your Mac OS X computer, did you have to enter a password before it loaded up your user account and desktop?
No?
Funny, because the computer asked for one. You didn't see that part, nor did you see your computer provide a password for itself--but that is, in effect, what happened.
Your computer comes with a neat collection of security features built-in, but if you have it set up to automatically log you in every time you boot it up, you're bypassing one of the most basic of them.
What's more, the security system itself is helping you do it. Weird, huh? I think so.
So what's going on?
When Mac OS X boots up, it routinely wants a username and password. It has to ask for this, because the computer might have several accounts to use, and it needs to know which one to log in.
But in the Accounts Preferences pane, part of System Preferences, there's this curious little option:
Yes, the "Automatically login as..." feature lets you skip that all-important login step. How does it do this?
It stores your user login details in Keychain Access, an oft-used but not always-understood feature of the operating system.
Keychain Access, when prompted by the booting machine, offers up your user details so that the login can continue without any further input from you. Kind of neat, but also kind of dumb.
It turns out that this simple, single step is at the root of the most fundamental problem of Keychain Access, which is in almost all other respects an extremely useful and clever bit of software.
In this article, I'm going to take a closer look at Keychain Access. You'll find out exactly what it is, what it does, and why. And then, together, we'll come back to this problem and find out how you can take a few very simple precautions to claw back some additional security on your Mac.
|
Related Reading 
Security and Usability |
Introduced in Mac OS 9, Keychain Access is an API and an application designed to provide secure storage for all of your sensitive information, which in this case means not just your system password for automatically logging in, but much more besides.
Ever use the "Remember this password for next time" feature in your web browser? Sure you do; lots of people use it all the time. It saves such a lot of time and hassle. So have you ever wondered where, or how, those website passwords are saved?
Yup, Keychain Access.
Ever stored some details for an FTP or SFTP or AppleShare or other network connection--you know, so you don't have to keep tapping in tedious passwords over and over again? Of course you have; it's common practice. But did you stop to think about what was happening to that stored security information?
You got it--Keychain Access.
And, you know how your email client is set to check for new mail messages every 20 minutes, and it does everything automatically? Stuff like making a connection with your mail server, logging itself in with your secure account details (perhaps using SSH in the process), and downloading all your mail? That all happens, many times a day, without you ever entering the account password once, doesn't it? Can you even remember the account password? How is that all happening?
Oh yeah. Keychain Access.
In short, Keychain Access is there, lurking in the background, but it's taking notes about all sorts of stuff you do on your computer. Quite often, many users have no idea that by clicking OK or Save in some sheet or dialog box, they are adding new data to their keychain.
That's what Keychain Access is. What is it not?
It's not something that's going to guarantee the security of your Mac, should it end up in the wrong hands. Frankly, there's little you can do about that, since a savvy Mac thief can always plug the stolen machine into another Mac and boot it up in Firewire Target Disk mode, thereby turning your treasured PowerBook into little more than a shiny backup disk drive.
Put it another way: Keychain Access is there to make your life easier. It's not there to make life harder for Evil Bob who's just stolen your computer and wants to find all your Sekrit Filez.
|
The simplest way to think about Keychain Access is as database for passwords. Its job is to remember some of the passwords and certificates you use frequently, so that you don't have to. The need for security is obvious, due to the nature of the information being stored.
According to Apple, Keychain Access can also be used for any other "sensitive information" (their wording, not mine), such as credit card numbers, software serial numbers, or PINs for bank accounts. Well, yes, it can be used for information like this, but if you intend to use it this way, make sure you take a few precautions first. More on that later.
Every time you make some kind of secure connection, or use software to send a password from one computer to another, Keychain Access steps in and supplies the password from your keychain, where they are all stored.
You get a default keychain automatically, when you first use your Mac. But it doesn't have to be the only keychain you use. In fact, you're allowed to set up several different ones and can put them to use in different ways.
Just as an example, there's nothing to stop you using the default keychain for day-to-day stuff like website logins and checking email accounts. But you could also create additional keychains; one for all of your work-related connections, another for online banking, and a third for those super-secret credit-card details that you want to keep handy, but away from prying eyes.
Every keychain you set up is a separate file, and each one can be locked and unlocked at different times.
If you haven't fired it up already, look in your /Applications/Utilities folder to find the Keychain Access utility.
When you open it, you'll see something like this:
Keychain Access is your central control panel for managing entire keychains, and individual items within them. Frankly, it's not a terribly user-friendly bit of software, with various odd commands hidden in unexpected places among the menus. But once you've gotten used to finding the functions it offers, you might find many of them very useful. It's worth exploring Keychain Access a bit, just to get to know what it can do.
Firstly, you can create new keychains, and control how each one behaves. To change options for one keychain, select it in the keychains list on the left, then click Edit -> "Change settings for Keychain name."
Now you'll see a panel like this:
You can ensure that a keychain is either unlocked most of the time (a fair choice for your day-to-day keychain stuff: website passwords and so on), or locked most of the time (the best choice for your sekrits). This is also the place for looking after .Mac synchronization, if you have a .Mac account. This last feature lets you sync whole keychains between two or more Macs, and can be incredibly useful if you're using Macs in several different places.
As well as changing settings for whole keychains, you can also change settings for every individual keychain item.
Double-click any item in any keychain and you'll see another panel. Here, under the Access Control tab, you can say which applications have permission to access this particular item, and whether or not they have to ask for the keychain password when they do.
As well as passwords, Keychain Access deals with all of your digital certificates. Any certificate files that come into your possession can be imported to Keychain Access just by dragging them in. You can export certificates of your own using the File -> Export command.
When Apple says you can use Keychain Access for storing "sensitive information," it means using the Secure Notes feature.
A secure note is simply text you've entered, or pasted from elsewhere, which cannot be viewed without supplying the right password.
|
Like lots of other files on your computer, a keychain can become messed up by user actions, or simply corrupted. In situations where a user has inadvertently changed the default keychain without realizing it, you might need to make use of the Keychain First Aid feature. Under the main Keychain Access menu, you'll see a First Aid command. In the resulting panel, you can choose to either verify or repair a selected keychain. This might not always fix the problem, but it's worth a try.
In cases where a keychain is somehow corrupted, even Keychain First Aid is unlikely to be any help. You're better off just starting fresh with a new keychain. In the Preferences panel, click the Reset My Keychain button. The old one will not be deleted, but simply shunted to one side to make room for the new default keychain. This new one will be empty of passwords, of course, so you'll have to do a lot of remembering to add them all back in again.
Keychains can be moved from one computer to another. You can, if you wish, copy a keychain from your computer's ~/Library/Keychains folder to another machine, and import it into Keychain Access there. You'll still need to enter the password to make use of it, of course.
Having moved a keychain, imported one from another machine, or created several, you might wish to use one of the new ones as your default, instead of login.keychain, which was created for you automatically. This is easy--in Keychain Access, click File -> "Make Keychain name Default," and it's done.
Keychains can also be shared among users. If you've got several user accounts on one machine, and want all of those users to have access rights to a server or other network resources, you can select the appropriate keychain in the Keychain List (hit Option+Apple+L, or click Edit -> Keychain List) and check the box in the Shared column.
Back to the beginning.
The bad news is that if you have your computer automatically set up to log you in at startup, some of the security offered by Keychain Access is thrown away.
By default, when the computer boots and asks for a password, Keychain Access provides it and unlocks your default user keychain in the process. Your computer completes the boot and login process, and displays your desktop. Your personal keychain file has been unlocked during login, and remains unlocked until you log out.
Unless you go into the Keychain Access preferences (not a System Prefs panel, as you might expect, but the preferences within the Keychain Access application itself) and change the default behavior.
By unchecking the widget that says "Set login keychain as default," you prevent the keychain automatically unlocking itself when you log in to the machine, and potentially add an extra layer of protection between your data and Evil Bob.
The good news is that there are simple ways to give yourself a little extra security.
Simply by setting up your computer to insist that you log in manually every time, you make it a slightly more secure machine.
Another security precaution is to change your default keychain password to something that does not match your login password. That way, your keychain will not be unlocked when you log in to the machine.
If you choose to go down this route, you may quickly run into one of the disadvantages of being over-careful about security: websites and email clients and all sorts of other applications start pestering you with dialogs, asking you to enter your keychain password every single time something needs to be done. To avoid this, return to Keychain Access' preferences panel and check the "Show Status in Menu Bar" option.
Now you've got quick, easy access to your keychain controls from the menu bar, and you can lock and unlock whole keychains without having to mess around inside of Keychain Access itself.
Note that there's also a Lock Screen command, which may come in handy if you have to leave your machine unattended for short periods of time. It will ask for your username and password before letting you get back to work.
Another good policy is to create several keychains. One for boring day-to-day stuff--this might as well be your default login.keychain file, one for Secure Notes, and extras for any passwords and certificates that you need to keep extra secure.
When using the Secure Notes feature, it's a good idea to keep each note very short and restrict it to one piece of data. Also, give each note a meaningful title, but one that does not give away the contents of the note. You can use the search field in Keychain Access to search through all items, including notes, and if you have a lot of them, you'll be dependent on the titles you've created for the search to be useful.
Giles Turnbull is a freelance writer and editor. He has been writing on and about the Internet since 1997. He has a web site at http://gilest.org.
Return to the Mac DevCenter
Copyright © 2009 O'Reilly Media, Inc.