Keychain (software)

Keychain Access
	Screenshot of Keychain Access on macOS 12.
Developer(s)	Apple Inc.
Stable release	11.0 (55296.40.3) / 2020
Operating system	Mac OS 9, macOS
Type	password manager
Website	Keychain Access Help

Keychain
Developer(s)	Apple Inc.
Initial release	1999
Operating system	Mac OS 9, macOS
Type	system utility
License	APSL-2.0
Website	Keychain Services

Last updated March 01, 2024

Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.

Storage and access

In macOS, keychain files are stored in ~/Library/Keychains/ (and subdirectories), /Library/Keychains/, and /Network/Library/Keychains/, and the Keychain Access GUI application is located in the Utilities folder in the Applications folder.^[1]^[2] It is free, open source software released under the terms of the APSL-2.0.^[3] The command line equivalent of Keychain Access is /usr/bin/security.

The keychain database is encrypted per-table and per-row with AES-256-GCM. The time which each credential is decrypted, how long it will remain decrypted, and whether the encrypted credential will be synced to iCloud varies depending on the type of data stored, and is documented on the Apple support website.^[4]

Locking and unlocking

The default keychain file is the login keychain, typically unlocked on login by the user's login password, although the password for this keychain can instead be different from a user's login password, adding security at the expense of some convenience.^[5] The Keychain Access application does not permit setting an empty password on a keychain.

The keychain may be set to be automatically "locked" if the computer has been idle for a time,^[6] and can be locked manually from the Keychain Access application. When locked, the password has to be re-entered next time the keychain is accessed, to unlock it. Overwriting the file in ~/Library/Keychains/ with a new one (e.g. as part of a restore operation) also causes the keychain to lock and a password is required at next access.

Password synchronization

If the login keychain is protected by the login password, then the keychain's password will be changed whenever the login password is changed from within a logged-in session on macOS. On a shared Mac/non-Mac network, it is possible for the login keychain's password to lose synchronization if the user's login password is changed from a non-Mac system. Also, if the password is changed from a directory service like Active Directory or Open Directory, or if the password is changed from another admin account e.g. using the System Preferences. Some network administrators react to this by deleting the keychain file on logout, so that a new one will be created next time the user logs in. This means keychain passwords will not be remembered from one session to the next, even if the login password has not been changed. If this happens, the user can restore the keychain file in ~/Library/Keychains/ from a backup, but doing so will lock the keychain, which will then need to be unlocked at next use.

History

Keychains were initially developed for Apple's e-mail system, PowerTalk, in the early 1990s. Among its many features, PowerTalk used plug-ins that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to.

The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, implementations of this concept were not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.^{[ citation needed ]}

It was not until the return of Steve Jobs in 1997 that Keychain concept was revived from the now-discontinued PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a web browser. Keychain was later made a standard part of Mac OS 9, and was included in Mac OS X in the first commercial versions.

Third-party software for keychain synchronization

There was a 3rd party software application developed, that enabled synchronization of personal keychains generated using keychain access in Mac OS X, these standard keychain access - generated users keychains could then be synchronised between devices (iPhones - desktop Apple computers), using a pair of keychain synchronization apps developed by Patrick Stein of Jinx Software, one for Mac OS X and another for iOS called Keychain2Go. Keychain2Go could not be successfully updated by the developer to account for restrictions that Apple made to Keychain and access to Keychain in Mac OS X Sierra 10.12.^[7]

Security

Keychain is distributed with both iOS and macOS. The iOS version is simpler because applications that run on mobile devices typically need only very basic Keychain features. For example, features such as ACLs (Access Control Lists) and sharing Keychain items between different apps are not present. Thus, iOS Keychain items are only accessible to the app that created them.

As Mac users’ default storage for sensitive information, Keychain is a prime target for security attacks.

In 2019, 18-year-old German security researcher Linus Henze demonstrated his hack, dubbed KeySteal, that grabs passwords from the Keychain. Initially, he withheld details of the hack, demanding Apple set up a bug bounty for macOS. Apple had however not done so when Henze subsequently revealed the hack. It utilized Safari's access to security services, disguised as a utility in macOS that enables IT administrators to manipulate keychains.^[8]

Related Research Articles

Mac OS 9 is the ninth and final major release of Apple's classic Mac OS operating system which was succeeded by Mac OS X 10.0 in 2001, starting the Mac OS X family of operating systems. Introduced on October 23, 1999, it was promoted by Apple as "The Best Internet Operating System Ever", highlighting Sherlock 2’s Internet search capabilities, integration with Apple's free online services known as iTools and improved Open Transport networking. While Mac OS 9 lacks protected memory and full pre-emptive multitasking, lasting improvements include the introduction of an automated Software Update engine and support for multiple users.

FileVault is a disk encryption program in Mac OS X 10.3 Panther (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Apple Open Collaboration Environment (AOCE) is a collection of messaging-related technologies introduced for the Classic Mac OS in the early 1990s. It includes the PowerTalk mail engine, which is the primary client-side interface to the system, the PowerShare mail server for workgroup installations, and a number of additional technologies such as Open Directory, encryption, and digital signature support.

System Settings is an application included with macOS. It allows users to modify various system settings, which are divided into separate Preference Panes. The System Settings application was introduced in the first version of Mac OS X to replace the control panels found in earlier versions of the Mac operating system.

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

Apple Remote Desktop (ARD) is a Macintosh application produced by Apple Inc., first released on March 14, 2002, that replaced a similar product called Apple Network Assistant. Aimed at computer administrators responsible for large numbers of computers and teachers who need to assist individuals or perform group demonstrations, Apple Remote Desktop allows users to remotely control or monitor other computers over a network. Mac Pro (2019), Mac mini with a 10Gb Ethernet card, and Mac Studio (2022) have Lights Out Management function and are able to power-on by Apple Remote Desktop.

Mac OS X Leopard is the sixth major release of macOS, Apple's desktop and server operating system for Macintosh computers. Leopard was released on October 26, 2007 as the successor of Mac OS X Tiger, and is available in two editions: a desktop version suitable for personal computers, and a server version, Mac OS X Server. It retailed for $129 for the desktop version and $499 for Server. Leopard was superseded by Mac OS X Snow Leopard in 2009. Mac OS X Leopard is the last version of macOS that supports the PowerPC architecture as its successor, Mac OS X Snow Leopard, functions solely on Intel based Macs.

GNOME Keyring is a software application designed to store security credentials such as usernames, passwords, and keys, together with a small amount of relevant metadata. The sensitive data is encrypted and stored in a keyring file in the user's home directory. The default keyring uses the login password for encryption, so users don't need to remember another password.

This is a technical feature comparison of different disk encryption software.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

<span class="mw-page-title-main">Linoma Software</span>

Linoma Software was a developer of secure managed file transfer and IBM i software solutions. The company was acquired by HelpSystems in June 2016. Mid-sized companies, large enterprises and government entities use Linoma's software products to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's software runs on a variety of platforms including Windows, Linux, UNIX, IBM i, AIX, Solaris, HP-UX and Mac OS X.

Apple ID is a user account by Apple for their devices and software. Apple IDs contain the user's personal data and settings. When an Apple ID is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple ID.

KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices, which normally work with the same copied or shared (remote) password database. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system.

<span class="mw-page-title-main">Notes (Apple)</span> Software application for Apple platforms

Notes is a notetaking app developed by Apple Inc. It is provided on their iOS, iPadOS, visionOS, and macOS operating systems, the latter starting with OS X Mountain Lion. It functions as a service for making short text notes, which can be synchronized between devices using Apple's iCloud service. The application uses a similar interface on iOS and macOS, with a non-textured paper background for notes and light yellow icons, suggesting pencil or crayon. Until 2013, both applications used a strongly skeuomorphic interface, with a lined, textured paper design; the Mountain Lion version placed this inside a leather folder. This design was replaced in OS X Mavericks and iOS 7.

OS X Mavericks is the 10th major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mavericks was announced on June 10, 2013, at WWDC 2013, and was released on October 22, 2013, worldwide.

IPSW, iPhone Software, is a file format used to install iOS, iPadOS, tvOS, HomePod, and most recently, macOS firmware for devices equipped with Apple silicon. All Apple devices share the same IPSW file format for iOS firmware and their derivatives, allowing users to flash their devices through Finder or iTunes on macOS or Windows, respectively. Users can flash Apple silicon Macs through Apple Configurator 2.

Enpass is a cross-platform offline password management app available as a freemium software with subscription plans as also with one time payment licence.

Bitwarden is a freemium open-source password management service that stores sensitive information, such as website credentials, in an encrypted vault. The platform offers a variety of client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

References

↑ "Mac OS X 10.5 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.
↑ "Mac OS X 10.4 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.
↑ Apple Inc. "Source Browser". opensource.apple.com. Retrieved February 26, 2012.
↑ "Keychain data protection". Apple Inc. May 17, 2021. Archived from the original on December 20, 2021. Retrieved December 20, 2021.
↑ "Mac OS X 10.5 Help: Changing your keychain password". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.
↑ "Mac OS X 10.4 Help: Locking and unlocking your keychain". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.
↑ Stein, Patrick. "Keychain2go keychain synhcronisation software". Jinx Software. Jinx Software. Retrieved March 22, 2023.
↑ Newman, Lily Hay (June 1, 2019). "The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack". Wired . Retrieved July 9, 2021.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Mac OS X 10.5 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.

[2] "Mac OS X 10.4 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.

[:0-3] Apple Inc. "Source Browser". opensource.apple.com. Retrieved February 26, 2012.

[4] "Keychain data protection". Apple Inc. May 17, 2021. Archived from the original on December 20, 2021. Retrieved December 20, 2021.

[5] "Mac OS X 10.5 Help: Changing your keychain password". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.

[6] "Mac OS X 10.4 Help: Locking and unlocking your keychain". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.

[7] Stein, Patrick. "Keychain2go keychain synhcronisation software". Jinx Software. Jinx Software. Retrieved March 22, 2023.

[8] Newman, Lily Hay (June 1, 2019). "The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack". Wired . Retrieved July 9, 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Classic Mac OS
Versions	System 1 System 2, 3, and 4 System 5 System 6 System 7 Mac OS 7 Mac OS 8 Mac OS 9
Applications	Calculator Chooser Drive Setup DVD Player Finder Graphing Calculator Keychain Access PictureViewer PowerTalk QuickTime Player Network Browser Scrapbook Sherlock Software Update Stickies System Information SimpleText
Developer	HyperCard MacsBug Macintosh Programmer's Workshop ResEdit
Technology	Alias Appearance Manager Apple menu At Ease Balloon help Bomb error Command key (⌘) Control Panel Control Strip Creator code Dogcow Extensions Hierarchical File System HFS Plus Keychain Labels Macintosh File System Macintosh Toolbox Managers MultiFinder Multiprocessing Services Option key (⌥) OSType PICT QuickDraw QuickTime Resource fork Sosumi sound Startup sequence System folder System suitcase Type code WorldScript
Related articles	Memory management Old World ROM New World ROM Software

v t e Password managers
Proprietary	1Password Dashlane Enpass Intuitive Password Keeper LastPass Microsoft Autofill Myki NordPass Pleasant Password Server RoboForm SafeInCloud
Open source	Bitwarden Factotum GNOME Keyring KeePass KeePassXC KeeWeb Keychain KWallet Pass Password Safe Seahorse
Discontinued	Encryptr Firefox Lockwise Gator eWallet KeePassX KYPS Mitro Offer Assistant
Category List of password managers