An Explanation Of Apple Mac Security

Key Chain Security - Password Vault

In today's society of having to remember User Names and Passwords for e-mail logins, online banking logins, supermarket website logins and so on you can be forgiven for just wanting to use one password for all these activities, but 'sods law' states this will not work because once someone else has that 'One Password For Everything' you are stuffed. With this in mind you might think 'I will play it safe by using a variety of passwords'; perhaps one password for e-mails, one password for credit card stuff and one password for everything else. The trouble with this thinking is that 'sods law' will still catch you. Why? Because with so many different passwords to remember you are bound to forget one of them.

On top of this web browsers try to help you out by asking 'Do you want Password Manager to remember that password for you?', in much the same way that the MacOS application called Keychain does. The problem with these web browser password managers and the keychain application is that they require a password themselves before they grant you access to their password vault - In the case of Keychains; A special, Keychains, folder that contains a series of sub-folders (keychain sub-folders) that in turn contain data files (keychain files) which store website addresses, website passwords, application form passwords and network passwords among other data.

Fortunately, with Keychains, once the password vault (special Keychains folder) has been opened the keychain application (Keychain Access application) then only requires a master password (master Keychain Sub-Folder password) to open a particular keychain sub-folder and thereby reveal the password within a particular data file (keychain file), such as the password of a previously saved website, application or network. A separate, different, password is not needed to open each data file. The master password (master Keychain Sub-Folder password) is usually your computer login password; so it shouldn't be too difficult to remember!


In this section I will demonstrate how you can use the Keychain Access application (utility) to view a forgotten password, such as a Wireless Network password or Website Login password. As keychain (the service) is classed as a utility you will find its application (front-end / gui), called Keychain, inside the UTILITIES sub-folder of the APPLICATIONS folder. Simply double click on its application icon to launch it (open it/run it/execute it).

Fig 1.0  Double click on the Keychain application icon to continue

When the keychain application window opens you need to make sure the data files (keychains) you are viewing, in the main preview window pane, are from the LOGIN keychain sub-folder and that they are PASSWORD category keychains. In other words; On the left sidebar underneath the heading KEYCHAINS make sure the word LOGIN is selected and underneath the CATEGORY heading make sure the word PASSWORDS is selected.

Fig 1.1  Underneath the CATEGORY heading make sure the word (category) PASSWORDS is selected

When you select (click on) the category called PASSWORDS (above) the last data file (keychain) to be opened within that category might be highlighted in a faint grey colour with its general information being displayed in the preview window pane above it, but this depends on whether or not the data file (keychain) can be seen within the listings. Furthermore, if you double click on a previously opened data file (keychain) or any other listed/viewable data file (keychain) you will be able to view its password.

In this example I am NOT going to double click on the previously opened, Facebook, data file (keychain). I am going to click on the Transport For London (TFL) data file (keychain) instead. Doing so will then bring up a window displaying the general information about that data file (keychain) (Fig 1.3 below) whereby I then have the option of viewing the password stored inside that data file (keychain) by putting a tick next to the window's SHOW PASSWORD button.

Fig 1.2  Double click on a listed/viewable data file (keychain) to view its general information

Fig 1.3  Tick the SHOW PASSWORD option if you want to view the password stored inside the data file (keychain)

As you can see from the above; amongst the general information you can see which website the data file (keychain) is associated with (i.e. the TFL website) and what kind of password is being stored (i.e. an Oyster Card website login-form password). Other types of stored password can include passwords for applications and passwords for the internet. If you want to see the password stored inside a particular data file (keychain) for a particular website, application or network for example simply put a tick next to the SHOW PASSWORD option and then enter your Keychain Login password (below) followed by the master Keychain Sub-Folder password.

The Keychain Login password is a master password for the actual password vault (special, Keychains, folder) and the Keychain Sub-Folder Password, as just mentioned, is the master password for all keychain sub-folders. So what the message requester in Fig 1.4 is saying is; The Keychain Access application (Keychain wants to open (access) the keychain sub-folder called LOGIN in order to open the TFL data file (keychain) and reveal its password, but before it can do that it first needs you to enter the Keychain Login password so it can then open the password vault (special, Keychains, folder) - The password vault has to be opened before the keychain sub-folder due to folder hierarchy of course. When you have entered the password click on the OK button to continue.

Fig 1.4  The Keychain Access app needs your Keychain Login password to open the password vault (folder)

With the Keychain Login password entered the next step is to enter the master Keychain Sub-Folder Password so that the LOGIN keychain sub-folder can be opened (accessed) in order to reveal the password for the currently selected, TFL, data file (keychain). The message requester below is saying; The Keychain Access application (Keychain wants to open (access) the TFL data file (keychain) but cannot until you enter the master Keychain Sub-Folder Password for the LOGIN keychain sub-folder.

When you have entered the password you then have the choice of clicking on either the ALWAYS ALLOW button, DENY button or ALLOW button. Those buttons are asking you if you want to grant the Keychain Access application the right to open the LOGIN keychain sub-folder (with the just entered Keychain Sub-Folder password) and therefore view the password belonging to the currently selected, TFL, data file (keychain). If you want to view more than one data file's password without having to enter the Keychain Sub-Folder password each time you should click on the ALWAYS ALLOW button. However, in this example, because I am only wanting to view the TFL password once I shall click on the ALLOW button only.

Fig 1.5  The Keychain Access app needs the master Keychain Sub-Folder password to open the LOGIN sub-folder

When you have completed the above steps the password belonging to (inside) the currently selected data file (keychain) will be shown to you inside the SHOW PASSWORD edit box - In this example I have blurred it out because it is a live screenshot containing my real TFL Website Login password.

Fig 1.6  The password stored inside the TFL Oyster data file (keychain) is displayed in the SHOW PASSWORD box

As said above; You can also view general information and the forgotten password of a Wireless Network, Networked Hard Drive, Website Login Page, Application and so on. You just follow the above steps to view their general information and forgotten password. Looking at the listing below you can see that I have Login Passwords for the 3G Mobile Phone website (my 3G account), TFL website (my Oyster Card account), Facebook website (my facebook account), Web Hosting website (my website account) and so on.

Fig 1.7  Double click on an Airport Wireless Network data file (keychain) to view its wireless network password

Going back to the Keychain Login password for a minute. When the password vault (special, Keychains, folder) is locked you will notice the Padlock Icon in the top-left corner of the Keychain Access application window has a Locked Padlock Icon (Fig 1.8 below). And when the password vault has been unlocked with the Keychain Login password you will notice that Padlock Icon has changed into the Unlocked Padlock Icon (Fig 1.9). You can actually unlock the password vault before selecting a data file (keychain) and then leave it, permanently, unlocked so that you don't have to unlock it each time you want to use the Keychain Access application for example.

Fig 1.8  The password vault is locked - You can open it with the Keychain Login password

Fig 1.9  The password vault is unlocked - The Keychain Login password opened it

Be careful when using the Keychain Access application and data files (keychains) in general as deleting a data file (keychain) for example could lead to unwanted side-effects. If you delete a data file (keychain) associated with the Mail application for example you could get a scenario whereby you are always being asked to grant the Mail application permission to use the LOGIN Keychain Sub-Folder. If this happens you may need to ALWAYS ALLOW the Mail application again or simply recreate the e-mail account from scratch.

Fig 1.10  The MAIL application wants access to the LOGIN Keychain Sub-Folder

Although the accessing data files (keychains) seems an easy option for someone to know/steal your Wireless Network password and/or E-Mail password for example, as you can see from the above steps; that someone would still need to know your Keychain Login password.