oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

A Look at Keychain Access (and Why You Should Care)
Pages: 1, 2, 3

Messing About with Keychains

Like lots of other files on your computer, a keychain can become messed up by user actions, or simply corrupted. In situations where a user has inadvertently changed the default keychain without realizing it, you might need to make use of the Keychain First Aid feature. Under the main Keychain Access menu, you'll see a First Aid command. In the resulting panel, you can choose to either verify or repair a selected keychain. This might not always fix the problem, but it's worth a try.

In cases where a keychain is somehow corrupted, even Keychain First Aid is unlikely to be any help. You're better off just starting fresh with a new keychain. In the Preferences panel, click the Reset My Keychain button. The old one will not be deleted, but simply shunted to one side to make room for the new default keychain. This new one will be empty of passwords, of course, so you'll have to do a lot of remembering to add them all back in again.

Keychains can be moved from one computer to another. You can, if you wish, copy a keychain from your computer's ~/Library/Keychains folder to another machine, and import it into Keychain Access there. You'll still need to enter the password to make use of it, of course.

Having moved a keychain, imported one from another machine, or created several, you might wish to use one of the new ones as your default, instead of login.keychain, which was created for you automatically. This is easy--in Keychain Access, click File -> "Make Keychain name Default," and it's done.

Changing share settings in Keychain List

Keychains can also be shared among users. If you've got several user accounts on one machine, and want all of those users to have access rights to a server or other network resources, you can select the appropriate keychain in the Keychain List (hit Option+Apple+L, or click Edit -> Keychain List) and check the box in the Shared column.

The Bad News

Back to the beginning.

The bad news is that if you have your computer automatically set up to log you in at startup, some of the security offered by Keychain Access is thrown away.

By default, when the computer boots and asks for a password, Keychain Access provides it and unlocks your default user keychain in the process. Your computer completes the boot and login process, and displays your desktop. Your personal keychain file has been unlocked during login, and remains unlocked until you log out.

Unless you go into the Keychain Access preferences (not a System Prefs panel, as you might expect, but the preferences within the Keychain Access application itself) and change the default behavior.

Change that default behavior

By unchecking the widget that says "Set login keychain as default," you prevent the keychain automatically unlocking itself when you log in to the machine, and potentially add an extra layer of protection between your data and Evil Bob.

The Good News

The good news is that there are simple ways to give yourself a little extra security.

Simply by setting up your computer to insist that you log in manually every time, you make it a slightly more secure machine.

Another security precaution is to change your default keychain password to something that does not match your login password. That way, your keychain will not be unlocked when you log in to the machine.

If you choose to go down this route, you may quickly run into one of the disadvantages of being over-careful about security: websites and email clients and all sorts of other applications start pestering you with dialogs, asking you to enter your keychain password every single time something needs to be done. To avoid this, return to Keychain Access' preferences panel and check the "Show Status in Menu Bar" option.

Menu Bar widget enabled

Now you've got quick, easy access to your keychain controls from the menu bar, and you can lock and unlock whole keychains without having to mess around inside of Keychain Access itself.

Note that there's also a Lock Screen command, which may come in handy if you have to leave your machine unattended for short periods of time. It will ask for your username and password before letting you get back to work.

Another good policy is to create several keychains. One for boring day-to-day stuff--this might as well be your default login.keychain file, one for Secure Notes, and extras for any passwords and certificates that you need to keep extra secure.

When using the Secure Notes feature, it's a good idea to keep each note very short and restrict it to one piece of data. Also, give each note a meaningful title, but one that does not give away the contents of the note. You can use the search field in Keychain Access to search through all items, including notes, and if you have a lot of them, you'll be dependent on the titles you've created for the search to be useful.

Giles Turnbull is a freelance writer and editor. He has been writing on and about the Internet since 1997. He has a web site at

Return to the Mac DevCenter