Using the Keychain

Virtually every file server to which you connect, some of the Web sites you visit, and any number of network services you invoke require you to identify yourself with a name and a password. These combinations of name and password are called access keys, or just keys for short. If other people can guess your keys easily, the main reason for having them has failed. Similarly, if you use the same key for more than one account, anyone who obtains the key to one account can access the rest of your accounts — again, not a good thing. The difficulty with using multiple keys is the inconvenience of having to remember multiple not-easily-guessed keys and further, to remember which keys go with which account.

Because of this, Apple developed a keychain technology to help you keep track of your various account names and passwords. In fact, the keychain can automatically provide your name and password as needed. Apple first introduced the concept of a keychain with System 7 Pro’s AOCE (Apple Open Collaborative Environment), also known as PowerTalk, a decade ago. Because AOCE’s acceptance was less than inspiring, even the well-liked pieces, such as the keychain, were not widely used. PowerTalk disappeared from Apple System Software releases after System 7.5.5. Apple revived the keychain in Mac OS 9 and, because it didn’t bring with it the overhead and clumsiness of AOCE, many more users started taking advantage of it. Now, with Mac OS X, the keychain continues to be even better integrated with Mac OS and its software.

You can use keychains to hold passwords for applications, Web sites, and servers. When you launch the application or connect to the server or Web site, your keychain supplies the password so that you don’t have to type it, providing that you are using keychain-aware software.

Initially, Mac OS X creates a default keychain, whose name is the same as your login account’s short name, and a password that matches your login password. When you log in to Mac OS X, this keychain is automatically unlocked for you. You’re not limited to just this one keychain, though. You can create multiple keychains to store password information for different purposes if you desire. One reason to create multiple keychains is if you wish to segregate some groups of keys from the rest and not have all your keys accessible at the same time. You may not want your spouse to know your keys for certain FTP sites, but might also need to make the keys for other sites available. In general, the keychain functions in the background, and many people will never even need to open it. For those who want extra control and customization, follow along!

Copying a keychain to another computer

If you want to use a keychain from your computer on another Mac OS X computer, you simply copy the keychain file. The usual location for keychain files is the Keychains folder in the Library folder of your home folder (path ~/Library/Keychains).

1. Copy your keychain to a location (such as a network server) that you can access from the other computer.

2. Open Keychain Access on the other computer (in the Utilities folder of its Applications folder).

3. Choose File Add Keychain.

4. Select your keychain and click Open.

Creating a keychain

If you want to create additional keychains, you do so with the Keychain Access application (located in the Utilities folder of your Applications folder.) To use the Keychain Access application, choose File New Keychain. In the regular Save As dialog that appears, enter a name for your new keychain, select a location to save it in, and click the Create button. Figure 10-14 shows the Save As dialog for creating a keychain.

Figure 10-14: Saving a new keychain.

After you click Create, the New Keychain Password dialog appears. Decide on a password or phrase that you want to unlock the keychain, and enter it in both text boxes. The password can be up to 255 characters in length and is case-sensitive. As with all passwords, this should be something that you can remember and that you can type blind but will not be easily guessed by others. Click the disclosure triangle labeled Details to see the location of the keychain and the identity of the application that is creating it. Figure 10-15 shows the New Keychain Password dialog.

Figure 10-15: Enter the password for your new keychain twice.

Adding an item to your keychain

After you enter the identical password twice and clicked OK, Keychain Access displays your new keychain’s window. Initially, it is empty. More commonly, you’ll want to view your already existing keychain by clicking on it. If you’ve been using your system for a while, chances are you’ll see at least one or two saved keychain items in the list. Items appear in the list when parts of your Mac OS, for example, Safari, save your passwords. This is where they get saved.

You can also add items to your existing keychain. In Mac OS X 10.3, you can add two kinds of items, a password item, or a secure note. You can add either of these by choosing their commands under the File menu. Most keychain items are created on the fly, as you log into sites and servers and choose to save the information. In some cases, however, you might want to manually create an item, and the Keychain Access application lets you. When you choose New Password Item from the File menu, you are presented with the dialog shown in Figure 10-16.

Figure 10-16: Creating a new password item.

To create a new keychain item:

1. Type in the location of the Web site or server in the Name field.

2. Enter your account username in the Account field.

3. Enter your password in the password field.

If the checkbox is checked, Keychain Access will display your password in clear text. If you type a Web site’s location in, the next time you visit that site, Safari will make an attempt to use the information provided by this new password item. If you type in the location of a file server, the Finder will attempt to use the provided information the next time you connect to that server. Click the Add button to save it.

You can also choose to make a secure note in the Keychain Access application, which is a way of storing sensitive information that you might need to retrieve at a later date. Choosing New Secure Note Item from the file menu presents you with the screen shown in Figure 10-17.

Figure 10-17: Creating a new secure note item.

Next, type in both a name to call your secure note and the information that you want to store. When this is accomplished, click the Add button to save it. Later, you can customize the level of access to this, but the idea behind the secure note item is to save sensitive information in a secure form.

Locking and unlocking your keychain

When a keychain is unlocked, all items in it are available to keychain-aware applications; however, if the keychain is locked, the items are unavailable until you unlock the keychain by entering the passphrase when prompted.

Locking a keychain is simple. In the main window in the Keychain Access application, click the Lock button to lock the selected keychain. When the keychain is locked, the detail information is hidden and the button’s name changes to Unlock. You can also lock a keychain by choosing File Lock “keychain name” (z-L) and can lock all keychains by choosing File Lock All Keychains.

Managing keychain items

After adding items to your keychain, you need to consider keeping them up-to-date. For example, periodically changing your passwords is considered good practice for security reasons. Alternatively, you may want to remove keys to file servers or Web sites that no longer exist.

Removing a keychain item is easy. In the Keychain Access window, select the item you want to delete and click the Delete button.

As in the Finder, Keychain Access enables you to view information for keychain items. Select the item (click on it) to view its information in the bottom of the Keychain window. The two subpanes are Attributes and Access Control.

Attributes tab

In the Attributes tab (see Figure 10-18), you can click the Show Password button to see the item’s password. Use the copy to clipboard button if you want to paste it somewhere else. In this pane, you are also shown the kind of item it is (application, Internet, AppleShare, and so on), where it is located, to which account it belongs, when it was created, and when last modified. You also are presented with a Comments text box where you can enter information about the item (such as a URL for named Web server items). Make sure to click the Save Changes button if you make any changes to any of the fields in the window.

Figure 10-18: Click the Show password button to see an item’s password.

Access Control tab

In the Access Control tab, shown in Figure 10-19, you find an option labeled Allow all applications to access this item. If this option is not selected, you are always prompted for keychain confirmation anytime something attempts to access this item. If you don’t want all applications to have access, you can specify select applications that always have access to this keychain item by adding the applications to the Always allow access by these applications list. Click the Add and Remove buttons as appropriate.

Figure 10-19: The Access Control pane of Keychain Access allows different levels of security for keychain items in the same keychain.

Changing keychain settings

You can set conditions under which your keychain automatically locks. You can also change the password of an existing keychain.

To change locking conditions of a keychain, choose Change Settings for Keychain “keychain name” from the Edit menu. This brings up the dialog box shown in Figure 10-20. From this dialog, you can choose to automatically lock the keychain after a specified number of minutes of computer inactivity, or to lock the keychain when the computer goes to sleep.

Figure 10-20: Control the settings for automatically locking a keychain.

To change the password of a keychain, make sure it is selected from the list, and choose Change Password for Keychain “keychain name” from the Edit menu. This presents a dialog identical to the one shown previously in Figure 10-15 where you set the password for a new keychain.