WPR Mac Help

The Keychain is perhaps one of the least understood parts of Mac OS X, yet it’s something you’re using every day.

What is the Keychain?

The Keychain system came about to satisfy a problem. The people who wrote applications, such as your e-mail or your web browser, thought it would be a nice if their app would store your password or other information so you wouldn’t have to type it in each time it was needed. The problem is, how do they store it?

In this article, we’ll find out just what the keychain is and then talk about some of the neat tricks you can do with it.

Passwords are supposed to be secure, so they couldn’t just leave them lying around your disk for anyone to read. So they’d have to come up with a clever way to store it securely. And each application would have to do this (hopefully). As you can imagine, this lead to the wheel being reinvented over and over, and sometimes the wheel wasn’t as round as it needed to be.

Apple looked at this and said, “Hey, why don’t we create a centralized ‘bucket’ for passwords, and we’ll let each application just store and retrieve them there. We’ll encrypt the bucket, and that will keep it safe.” Which is what they did, but a little more. They also posted a security guard who keeps the passwords in the bucket from being handed out to just any old person. Nope, the security guard keeps a very close eye on things, standing watch over your passwords.

So how does it work?

How does the security guard know when it can hand out passwords? Ironically, you have to give it a password before it will start doing this. It’s called “unlocking” the keychain. When you log into your Mac (or if it’s set to automatically log in for you), your login password is used to unlock your keychain. Now the security guard will allow the prescribed applications to dip into the bucket and fish out the passwords they’ve stored there.

Normally, when you change your OS X log-in (account) password, your keychain password is changed also, but there are times when it doesn’t. If your log-in password has changed but your keychain password hasn’t, then logging in will not automatically unlock the keychain. Instead, the keychain will bug you to unlock it the first time some app tries to grab a password.

(You can always click on an image to see a larger version of it.)

This may also happen if your login account was created with an empty password. You cannot have a keychain that is not password protected. Otherwise, how would the security guard ever know when it was OK to hand things out?

What else can it do?

One of the little known facts is that you, as the owner of a keychain, can go in and examine its contents. Let’s say that your mail program is set to store your password, then one day you want to try out mail on the web and the page asks you for your password. “I don’t know. I haven’t had to type it in for several months!”

Keychain Access to the rescue! Hiding in your Utilities folder (inside of your Applications folder) is a little guy called “Keychain Access”. You can open that up and take a look at your keychains. The one you’re probably most interested in is called “login”. (For older accounts, it might be named after you.)

You can double click on an entry to see it’s contents. But there’s a catch. Remember that security guard we talked about earlier? He’d be sleeping on the job if he didn’t check you out first. To see the actual contents, you’ll have to type in your keychain password first. Only then will it show you the goods.

And that’s it?

There’s another feature I used quite often as well. Do you have a list of stuff somewhere that’s really, REALLY important? You want that information around, but it would be bad if it ever got lost or stolen? Enter “Secure Notes”. They’re basically just a keychain entry that you add manually.

From the “File” menu, choose “New secure note item”. You’ll get to give it a name. You’ll then be able to put whatever you want as contents. When you’re done, it will be protected by the same security guard that’s watching the rest of your passwords.