The Keychain

The information explosion of the computer age may translate into bargains, power, and efficiency, but as noted above, it carries with it a colossal annoyance: the proliferation of passwords we have to memorize. Shared folders on the network, Web sites, FTP sites—each requires another password.

POWER USERS’ CLINIC: Virtual Memory, Security, and You

Virtual memory is a trick that computers use to keep a lot of programs open at once—more, in fact, than they technically have enough memory (RAM) for. How do they manage to keep so many software balls in the air? Easy: They set some of them down on the hard drive.

When you bring Photoshop to the front, OS X frees up the necessary memory for it by storing some of the background programs’ code on the hard drive. When you switch back to, say, Safari, OS X swaps Photoshop for the Safari code it needs from the hard drive, so that the frontmost program always has full command of your actual memory.

Sophisticated software snoopers could, in theory, sneak up to the Mac while you’re logged in but away from your desk. Using a built-in Unix command called strings, the no-goodniks could actually read what’s stored on the hard drive in that virtual-memory swap file—in particular, your passwords.

When you turned on the old FileVault, your virtual memory swap files were also encrypted.

But in Yosemite, your virtual memory swap files are encrypted all the time, automatically and invisibly, so nobody can read them.

Apple has done the world a mighty favor with its Keychain feature. (It’s an earlier, not-Internet-based version of the iCloud Keychain described on Saved Passwords: The iCloud Keychain.) Whenever you log into OS X and type in your password, you’ve typed the master code that tells the computer, “It’s really me. I’m at my computer now.” From that moment on, the Mac automatically fills in every password blank you encounter, whether it’s a Web site in Safari, a shared disk on your network, a wireless network, an encrypted disk image, or an FTP (File Transfer Protocol) program like Transmit or Cyberduck. With only a few exceptions, you can safely forget all your passwords except your login password.

All kinds of programs and services know about the Keychain and offer to store your passwords there. For example:

• In Safari, whenever you type your name and password for a certain Web page and then click OK, a dialog box asks: “Would you like to save this password?” (See Figure 13-17, top.)

  Note

  This offer is valid only if, in Safari→Preferences→AutoFill tab, “User names and passwords” is turned on. If not, the “Would you like to save this password?” message never appears.

  Note, too, that some Web sites use a nonstandard login system that doesn’t produce the “Would you?” message. Unless the Web site provides its own “Remember me” or “Store my password” option, you’re out of luck; you’ll have to type in this information with every visit.

  

  Figure 13-17. Top: Safari is one of several Internet-based programs that offer to store your passwords in the Keychain; just click Yes. The next time you visit this Web page, you’ll find your name and password already typed in. At any time, you can see a complete list of the memorized Web passwords by choosing Safari→Preferences→Passwords (page 721). Bottom: When you connect to a server (a shared disk or folder on the network), just turn on “Remember this password in my keychain.”

• When you connect to a shared folder or disk on the network, the opportunity to save the password in your Keychain is equally obvious (Figure 13-17, bottom).

• You also see a “Remember password (add to Keychain)” option when you create an encrypted disk image using Disk Utility.

• Mac email programs, like Mail and Outlook, store your email account passwords in your Keychain. So do FTP programs; check their Preferences dialog boxes.

• Your iCloud account information is stored in the Keychain, too (as you entered it on the iCloud pane of System Preferences).

• A “Remember password” option appears when you type in the password for a wireless network or an AirPort base station.

• The iTunes program memorizes your iTunes Store password, too.

Locking and Unlocking the Keychain

If you work alone, the Keychain is automatic, invisible, and generally wonderful. Login is the only time you have to type a password. After that, the Mac figures, “Hey, I know it’s you; you proved it by entering your account password. That ID is good enough for me. I’ll fill in all your other passwords automatically.” In Apple parlance, you’ve unlocked your Keychain just by logging in.

But there may be times when you want the Keychain to stop filling in all your passwords, perhaps only temporarily. Maybe you work in an office where someone else might sit down at your Mac while you’re getting a candy bar.

Of course, you can have OS X lock your Mac—Keychain and all—after a specified period of inactivity (Sharing Across Accounts).

UP TO SPEED: Password Hell

In OS X, you have quite a few different passwords to keep straight. Each one, however, has a specific purpose:

Account password. You type this password in at the normal login screen. You can’t get into anyone else’s account with it—only yours. Entering this password unlocks FileVault, too.

Administrator password. You’re asked to enter this password whenever you try to install new software or modify certain system settings. If you’re the only one who uses your computer (or you’re the one who controls it), your administrator password is your account password. Otherwise, you’re supposed to go find an administrator (the parent, teacher, or guru who set up your account to begin with) and ask that person to type in his name and password once he’s assessed what you’re trying to do.

Recovery key. Think of this password as a master key. If anyone with FileVault forgets her account password, the administrator who knows the master password can unlock the account. This master password also lets an administrator change an account’s password right at the login screen, whether FileVault is turned on or not.

Root password. This password is rarely useful for anything other than Unix hackery; you know who you are.

But if you want to lock the Keychain manually, so that no passwords are autofilled in until you unlock it again, you can use any of these methods. Each requires the Keychain Access program (in your Applications→Utilities folder):

• Lock the Keychain manually. In the Keychain Access program, choose File→Lock Keychain “login” (⌘-L), or just click the big button in the toolbar (Figure 13-18).

  

  Figure 13-18. In the main Keychain list, you can double-click a listing for more details about a certain password—including the actual password it’s storing. To see the password, turn on “Show password.” The first time you try this, you’re asked to prove your worthiness by entering your Keychain password (usually your account password). If you then click Always Allow, you won’t be bothered for a password-to-see-this-password again.

• Choose Lock Keychain “login” from the Keychain menulet. To put the Keychain menulet on your menu bar, open Keychain Access, choose Keychain Access→Preferences→General. Turn on “Show keychain status in menu bar.”

• Lock the Keychain automatically. In the Keychain Access program, choose Edit→Change Settings for Keychain [your name]. The resulting dialog box lets you set up the Keychain to lock itself, say, 5 minutes after the last time you used your Mac, or whenever the Mac goes to sleep. When you return to the Mac, you’re asked to re-enter your account password in order to unlock the Keychain, restoring your automatic-password feature.

Whenever the Keychain is locked, OS X no longer fills in your passwords.

Note

As noted above, you unlock your Keychain using the same password you use to log into OS X, but that’s just a convenience. If you’re really worried about security, you can choose Edit→Change Password for Keychain [your name], thereby establishing a different password for your Keychain, so that it no longer matches your login password.

Of course, doing so also turns off the automatic-Keychain-unlocking-when-you-log-in feature.

Managing Keychain

To take a look at your Keychain, open the Keychain Access program. By clicking one of the password rows, you get to see its attributes—name, kind, account, and so on (Figure 13-18).

Tip

The primary purpose of the Keychain is, of course, to type in passwords for you automatically. However, it’s also an excellent place to record all kinds of private information just for your own reference: credit card numbers, ATM numbers, and so on. Simply choose File→New Password Item (if it’s a name and password) or File→New Secure Note Item (if you just want to type a blob of very, very private text).

No, the Mac won’t type them in for you automatically anywhere, but it will maintain them in one central location that is, itself, password-protected.

Multiple Keychains

By choosing File→New Keychain, you can create more than one Keychain, each with its own master password. On one hand, this might defeat the simplicity goal of the Keychain. On the other hand, it’s conceivable that you might want to encrypt all your business documents with one master password and all your personal stuff with another, for example.

If you do have more than one Keychain, you can view all of them by clicking the little Show Keychains button at the lower-left corner of the Keychain Access window; now you see a list of all your Keychains (including some maintained by OS X itself). Click their names to switch among them.

Keychain Files

Keychains are represented by separate files in your Home→Library→Keychains folder. Knowing that can be handy when you want to delete a Keychain or copy it to another Mac—your laptop, for example. (Then again, the File→Export command may be even more convenient.)