One Minute Mac Tip: Use Mac OS X’s Keychain to Store, Recover, and Sync All Your Passwords From One Place

Since Mac OS X 10.2 Jaguar, Mac users have been accustomed to the ease of use of Apple’s very cool Keychain Services technology. The Mac OS X Keychain basically a secure database of all your passwords, sorted into files called (unsurprisingly enough) “keychains.” Each user account on a Mac OS X system has a login.keychain, and the system itself also has a system.keychain.

Whenever you tell an application to “Remember this password in my keychain,” what you’re doing is writing a new encrypted entry into your user account’s ~/Library/Keychains/login.keychain file. Then, the next time the application needs to access a restricted resource, it just asks Mac OS X to get the password for it. Of course, all of this happens automatically, so except for that single checkbox most users probably don’t know that the keychain even exists.

What’s even more awesome than all of this automagic password storing action, though, is the fact that Apple has also provided an easy-to-use application to manipulate the keychain yourself. What good does this do us? Plenty! Observe.

Say you’ve just signed up with a new ISP. They send you a username and a password to log on to their ADSL network with. Of course, they send this password to you on paper—how insecure! Instead, after changing the password to something else first (something other than mypassword, which is the example password I’ll use here), we can use Mac OS X Keychain to securely store the password and retrieve it later.

  1. First, launch the Keychain Access application located in the /Applications/Utilities folder of your startup drive.
  2. Next, click the “Create a new Keychain item” button (the +) button near the lower left-hand corner of the window. The Add Keychain Item sheet appears.
  3. Enter a meaningful name, such as “ADSL ISP Account” in my example, in the Keychain Item Name field.
  4. Enter the username or account name associated with this password in the Account Name field.
  5. Enter the password into the Password field.
  6. Click the Add button.

That’s all there is to it. To later retrieve your password if, say, you ever forget it:

  1. Launch the Keychain Access application.
  2. Locate and double-click the keychain item that stores the account and password information you want to retrieve.
  3. Tick the “Show password” checkbox. You’ll be presented with a dialogue box that asks for your keychain’s master password. Unless you’ve already set it to something else, this is the same password you use to log in to your Mac OS X user account.Screenshot of Mac OS X 10.5 Leopard\'s Keychain Access application requesting password access to the user\'s login.keychain file.
  4. Enter your keychain password and click “Allow.” If you click “Always Allow” instead, Keychain Access will not prompt you for your login keychain’s password the next time you ask to see this particular password. I never press that button.
  5. Your password’s plaintext is now visible.

This effectively obviates the need for third-party applications such as Password Gorilla, PasswordWallet or KeePassX which are great programs, but all suffer from a lack of a good user interface. Furthermore, there’s no reason why we can’t store short arbitrary strings of sensitive information in the keychain temporarily. Sure, it might clutter up your keychain, but you can always search the entries using the standard Mac OS X filter search bar at the top right of the window.

In fact, Apple’s been kind enough to offer an interface to do just that in an even more effective way, called Secure Notes. These are simply plain text strings of arbitrary length that can be stored securely inside your keychain, and that use the same interface to access (requiring your password to view). The only real difference is that instead of a single line, you’re given a fully scrollable text area in which to type your secure note.

Moreover, because keychains can be synced to multiple Macs with .Mac Sync (or a third-party synchronization solution), you can always have access to all your passwords regardless of which physical Mac you’re using. Best of all, since you never have to remember another password ever again, you can quit using the same password for multiple accounts, and you can always use really hard-to-crack passwords.

2 replies on “One Minute Mac Tip: Use Mac OS X’s Keychain to Store, Recover, and Sync All Your Passwords From One Place”

  1. This is the password management solution I’ve been using for years now and it’s not failed me yet. The only passwords I don’t use this method for are the ones I absolutely must have access to when not at my Mac. Instead of using completely random passwords, I use long-but-memorable ones which I shall not reveal here. ;)

Comments are closed.