Keychains and Your MacBook
A Mac OS X feature that’s been around for decades now is the keychain. Your account keychain on your MacBook stores all the username/password combinations for web sites, file servers, File Transfer Protocol (FTP) servers, and the like, allowing you to simply waltz in and start using the service (whatever it is).
Sounds downright convenient, doesn’t it? And it can be, but you had better watch your step.
Three massively big problems are inherent with using keychains:
Anyone can log on as you. If your keychain is unlocked, which happens automatically when you log in, all someone has to do is sit at your desk, visit a site or connect with a server, and bam! They’re on. As you. Think about that. And then think how many times you get up from your desk, just for a second, to grab another Diet Coke or a doughnut.
You’ll forget your passwords. If the keychain file is corrupted —and it can happen — your passwords have gone to Detroit without you. Either you’ve got them on paper hidden somewhere, they’re on your recent Time Machine backup, or it’s time to change your online persona.
Keychains need yet another stinkin’ password. Yep, that’s right — your keychain can be locked (either manually or, with the right settings, automatically), and you have to remember yet another password/passphrase to unlock your keychain. “When, oh when will the madness end?”
From a security standpoint, keychains should be completely off-limits for anyone who’s interested in maintaining a well-locked-down machine (whether it’s a Mac used in a company office or a Mac shared by a classroom). Unfortunately, Lion creates a keychain automatically for every user, so you have to monitor (and delete) your keychain data manually. (Sigh.)
However, if you’re the only person using your MacBook and it resides in your home and you absolutely must use keychains, you can display them all for the current account from the Keychain Access application, conveniently located in Utilities within your Applications folder. Click the desired category tab and then click an item in the keychain list to display or edit all its information.
Anyone can display and edit server and site information just by launching this application! (It’s just as bad to set the Automatic Login feature to an admin-level account.)
To help lock things down — at least when it comes to your Internet communications — follow this path:
To display your Internet passwords, click the Passwords category.
Click each Internet password to select it in the list and then click the lowercase i button at the bottom of the window to display the information on that password.
Click the Access Control tab to display the settings.
To minimize the damage that someone can do with this password, you can select the Confirm before Allowing Access radio button. And for yet another level of security, select the Ask for Keychain Password check box.
Click the plus sign button at the bottom of the Keychain Access window to add a new password. Type a name for the item, the username that you typically type to gain access, and the password for that server or site. Then click Add and cross your fingers.
To display all the keychains you can access, choose Edit→Keychain List. To create a brand-new keychain, choose File→New Keychain. Mac OS X prompts you for the filename for your new keychain file. In the New Keychain dialog that appears, enter a catchy name in the Save As text box.
By default, the keychain file is created in the Keychains folder — a good idea — but if you want to store it elsewhere, click the down-arrow button next to the Save As text box and navigate to the desired folder. When you’re ready, click the Create button. Now you need to enter yet another password, type it again to verify it, and click OK.
To lock or unlock your login keychain, click the Lock icon at the top-left of the Keychain Access window. (Unlocking your keychain requires you to enter your login password. Go figure.)