Tech Tidbit: MacOS Keychain

I’ve been using a Macbook for about 4 years now and I’m still tripping over features that I see frequently, but have made assumptions about what it does based on my knowledge of a variety of other platforms including Windows, Linux, UNIX and old Macs.

I’m currently doing some research on Mac malware and anti-virus/malware solutions for a future post and I ended up taking a deeper dive into the credentials management feature of MacOS called keychain.  As usual, I was thrown and a little blown away at what this feature really provides the user.

What I thought it was: A secure method for auto-populating credentials for various applications and websites.

What it is: A secure and easily useable store for all security credentials, with some pretty useful features.

So, in it’s basic form, when you create a new password for an app, you’ll be asked if you want to store it in the keychain.  If you attempt to subsequently access it, you might get a popup:

You then can selectively allow for only one time (Allow), not allow it (Deny) or always allow (Always Allow).   Remember, with the latter option, you’ll not be prompted again so take a moment to insure that’s the right answer.

OK … that’s what I knew until I looked further.    It turns out that Keychain manages all the system’s credentials, including passwords (both internal and web), security certificates, encryption keys and the like.   Additionally, it allows the user to manage their credentials.

One feature that it also provides that I think is particularly useful is the secure note.   The secure note is a note that resides within the Keychain (so it’s as secure as the Keychain’s password).   It’s a terrific way to store very sensitive data, like bank account numbers, social security numbers, you get the idea. You might have that in a regular note or Word document.  This is much more secure.

You can also store and retrieve Web credentials.  It also has a password strength indicator, which is quite useful when creating new passwords.    Because it auto populates credentials, you can have strong and different passwords for different accounts.  Since a hacker will typically attempt to get at one password, then use it for other sites, this is a particularly nice feature.

What if you forget a given password that happens to be in your Keychain?  You can open the item and see the password (after entering the Keychain password).

Finally, by opening the utility Keychain Access, you’ll be able to open and edit credentials and secure notes.

A couple cautions and suggestions:

  • To be able to use the auto-populating feature in Safari, set the Safari preference “User names and passwords” (The default: is unset).

  • I’d recommend creating a new keychain for very sensitive credentials, like financial sites.  Be sure to use a different password.  That way, if your login keychain gets compromised, the other keychain will remain secure.
  • To help keep your login keychain from getting compromised, change the password (the default is to use your login password).  That way, if your login credentials get known or compromised, you’ll keychain will remain secure.
  • Be sure to squirrel away all the Keychain passwords in a secure manner.
  • Be aware it’s local to the computer’s Keychain app.   There are 3rd party Cloud versions if you want access across computers/devices.

For more information on Keychain, including instructions on how to use it:

  • From AOL Tech’s The Unofficial Apple Webblog (TUAW): Mac 101: Keychain
  • Here’s a primer from the Mac Owners Support Group:




    1. What About Symantec’s Identity Safe App On Mac? | EssayBoard
    2. Password Managers — Worth it? | The Family HelpDesk

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    %d bloggers like this: