I find that many customers just scratch the surface of the capabilities of OS X. Since we are on the subject of passwords, I thought we’d talk again about Keychain. If you are like me, you have about a billion passwords and user names to remember. Some are easy and some are more complex and need more security. It is sometimes difficult to remember which user name and password you have used for which web site. Fortunately, your Mac can remember all this for you. Keychains have been around for some time, but the Keychain Access Utility has never been handier. Mac OS X Tiger introduced Spotlight across the system and that includes Keychain. It is now easy to find that password by using the Spotlight search box. Other new features in Keychain included in Tiger include the remodeled interface that uses the “iTunes” interface, Keychain Import/Export which allows you to import and export certificates to and from your Keychain and the ability to use .Mac to sync your Keychains to all your Macs.
The new Keychain Access window looks like iTunes or iPhoto windows with a category list on the right (Passwords, Certificates, Keys, Notes) and the listing in the window on the right. There is a preview window on top. The Searchlight box and lock toggle are on the very top. Along the bottom of the window are three other buttons. One toggles hiding and showing Keychains (useful if you have many Keychains), an “Add” button to manually add a Keychain item and and “Info” button that gives you access to the particulars of that selected item.
You can use a keychain to keep track of passwords for applications, servers, and websites; cryptographic keys and X509 certificates; or even sensitive information unrelated to your computer, such as credit card numbers or personal identification numbers (PINs) for bank accounts. When you connect to a network server, open an email account, or access any password-protected item that is keychain-aware, your keychain provides the password so you don’t have to type it.
You start with a single keychain, which is created automatically the first time you log in to your Mac OS X user account. Your default keychain has the same password as your login password. This keychain is unlocked automatically when you log in to Mac OS X and is referred to in Keychain Access menus as the “login” keychain. By clicking on the lock in the upper right corner of the Keychain window you can lock and unlock your keychains.
You can create different keychains to store passwords for different purposes (for example, one for work and one for online shopping) or make a copy of a keychain so you can take it with you to other computers or sync your keychains with your .Mac account. This can be particularly handy if you use multiple computers. I used to carry my keychain on my Flashkey so that I can plug it into a USB port and have all my passwords wherever I am but now, with Tiger, it is always available via my .Mac account.
Here’s how you can access your keychain over a network or use a removable disk or flash media to take it with you to another computer:
1. Locate your keychain in Library/Keychains, inside your home folder.
2. Copy your keychain to a location on the network where it is accessible from the other computer, or onto a removable storage device or flash media.
3. If you copied your keychain onto a removable device, connect it to the other computer or insert the disc.
4. On the other computer, open Keychain Access and choose File > Add Keychain.
5. Locate your keychain and click Open.
When I forget my password, it is a simple matter to use Keychain Access to find it.
You can also use your keychain to securely store sensitive information unrelated to your computer, such as personal identification numbers (PINs) for a bank account, credit card numbers, confidential notes, or any other information that you want to keep private. Open Keychain Access, Show Keychains, select the Keychain you wish to use and then click on “Note” in the Keychain tool bar. Type in a name for the note to help you remember what it is, type in the information you want to save, and click “Add.”
To view the contents of the note, select the note in the list of keychain items and double click on it . You’ll be asked for your keychain password if you haven’t selected “Always allow access to this item” in the Access Control pane. It’s a good idea to leave “Always allow access to this item” unselected for most items in your keychain. This provides greater security for your information.
Your default keychain, which is created for you when you set up Mac OS X, is unlocked automatically when you log in or when you type your keychain password in an Unlock Keychain dialog. (Your keychain password is always the same as your login password unless you used Keychain Access to create a different password, or if you used Keychain Access to change the password of an existing keychain.)
Your keychain is automatically locked if your computer is idle for a while. To set your keychain to lock automatically, open Keychain Access
and choose Edit > “Change Settings for Keychain ‘login’.” You can also display a keychain lock icon in your menu bar and use it to quickly lock or unlock your keychain. In Keychain Access, choose Keychain > Preferences > General and check the box that says “Show Status in Menu Bar”.
Applications that use passwords can’t retrieve a password from your keychain without your permission. When a message asks you to confirm access to your keychain, you see several options:
- Allow Once grants access this time only.
- Always Allow lets the application retrieve the password at any time
- Deny prevents access, so you’ll have to provide the password
If you want to allow an application, such as Mail, to access your keychain without asking you, you can select the “Always Allow” option in Keychain Access.
Adding More Keychains
You may want to create additional keychains for personal use that aren’t automatically unlocked when you log in to your user account. For example, you can create a “top secret” keychain to store notes, financial information, and any other items you want to store securely.
1. Open Keychain Access, located in Applications/Utilities.
2. Choose File > New Keychain.
3. Type a name and choose a location for the keychain, then click Create.
4. Type a password for the keychain.
5. To make the new keychain your default keychain, choose File > Make Default.
New keychains are set to lock automatically. To change this setting, select the keychain in the keychains drawer and choose Edit > “Change Settings for Keychain ‘login’.” (The name of the keychain in the menu matches the name of the selected keychain. if you selected the keychain that unlocks when you log in, the name you see is “login.”)
You may see that Keychain Access also lists “Certificates”. Digital certificates are part of your digital identity and are stored in your keychain. A certificate is an electronic document that associates your digital identity with other information, such as your name, email address, or business. Web applications, such as web browsers, mail applications, and online chat applications, use certificates to provide safe transfer of information over the web. Keychain Access lets you manage your certificates and keychains.
A certificate consists of your public key, the identity of the organization (“certificate authority,” or CA) that signed your certificate, and whatever other data it chose to associate with your identity. A certificate is usually restricted for particular “uses,” such as digital signatures, encryption, use with web servers, and so on. This is called the “key use” restriction on a certificate. Attempts to use a certificate for another purpose will fail. While it is possible to make one identity (and one certificate) with multiple uses, it is unusual to make one for all possible uses. Making a certificate for multiple uses is also less secure.
A certificate is only valid for a limited amount of time, after which it becomes invalid and must be replaced with a newer version. The certificate authority can also invalidate (“revoke”) a certificate before it expires. The validity of a certificate can be verified electronically using the “public key infrastructure”, or PKI, which Mac OS X supports.
To view a certificate in Keychain Access:
Open Keychain Access, located in /Applications/Utilities.
Click Show Keychains if the Keychains list is closed, then select the keychain you want to use.
Click a Keychain (if your keychain is locked, click the lock icon then enter your keychain password to unlock it).
To reduce the number of items and show just certificates, select a certificate category in the Category list.
Select a certificate.
For more detailed information about the certificate, click the Info button.
If you need to send a certificate to someone else, you can export it using Keychain Access and send it through email or by other means. Likewise, if someone sends you a certificate, you can add it to your keychain by dropping it onto Keychain Access, or using the Import menu in Keychain Access.
I use Keychain Access enough that it has found a home in my dock.