A Look at Keychain Access (and Why You Should Care)by Giles Turnbull
Password? What password?
Here's a conundrum: last time you switched on your Mac OS X computer, did you have to enter a password before it loaded up your user account and desktop?
Funny, because the computer asked for one. You didn't see that part, nor did you see your computer provide a password for itself--but that is, in effect, what happened.
Your computer comes with a neat collection of security features built-in, but if you have it set up to automatically log you in every time you boot it up, you're bypassing one of the most basic of them.
What's more, the security system itself is helping you do it. Weird, huh? I think so.
So what's going on?
When Mac OS X boots up, it routinely wants a username and password. It has to ask for this, because the computer might have several accounts to use, and it needs to know which one to log in.
But in the Accounts Preferences pane, part of System Preferences, there's this curious little option:
Yes, the "Automatically login as..." feature lets you skip that all-important login step. How does it do this?
It stores your user login details in Keychain Access, an oft-used but not always-understood feature of the operating system.
Keychain Access, when prompted by the booting machine, offers up your user details so that the login can continue without any further input from you. Kind of neat, but also kind of dumb.
It turns out that this simple, single step is at the root of the most fundamental problem of Keychain Access, which is in almost all other respects an extremely useful and clever bit of software.
In this article, I'm going to take a closer look at Keychain Access. You'll find out exactly what it is, what it does, and why. And then, together, we'll come back to this problem and find out how you can take a few very simple precautions to claw back some additional security on your Mac.
What Is Keychain Access?
Introduced in Mac OS 9, Keychain Access is an API and an application designed to provide secure storage for all of your sensitive information, which in this case means not just your system password for automatically logging in, but much more besides.
Ever use the "Remember this password for next time" feature in your web browser? Sure you do; lots of people use it all the time. It saves such a lot of time and hassle. So have you ever wondered where, or how, those website passwords are saved?
Yup, Keychain Access.
Ever stored some details for an FTP or SFTP or AppleShare or other network connection--you know, so you don't have to keep tapping in tedious passwords over and over again? Of course you have; it's common practice. But did you stop to think about what was happening to that stored security information?
You got it--Keychain Access.
And, you know how your email client is set to check for new mail messages every 20 minutes, and it does everything automatically? Stuff like making a connection with your mail server, logging itself in with your secure account details (perhaps using SSH in the process), and downloading all your mail? That all happens, many times a day, without you ever entering the account password once, doesn't it? Can you even remember the account password? How is that all happening?
Oh yeah. Keychain Access.
In short, Keychain Access is there, lurking in the background, but it's taking notes about all sorts of stuff you do on your computer. Quite often, many users have no idea that by clicking OK or Save in some sheet or dialog box, they are adding new data to their keychain.
That's what Keychain Access is. What is it not?
It's not something that's going to guarantee the security of your Mac, should it end up in the wrong hands. Frankly, there's little you can do about that, since a savvy Mac thief can always plug the stolen machine into another Mac and boot it up in Firewire Target Disk mode, thereby turning your treasured PowerBook into little more than a shiny backup disk drive.
Put it another way: Keychain Access is there to make your life easier. It's not there to make life harder for Evil Bob who's just stolen your computer and wants to find all your Sekrit Filez.