Keychain (software)

Keychain Access
	Screenshot of Keychain Access on macOS 12.
Developer(s)	Apple Inc.
Stable release	11.0 (55314) / 2022
Operating system	Mac OS 9, macOS
Successor	Passwords
Type	password manager
Website	Keychain Access Help

Keychain
Developer(s)	Apple Inc.
Initial release	1999
Operating system	Mac OS 9, macOS
Successor	Passwords
Type	system utility
License	APSL-2.0
Website	Keychain Services

Last updated November 15, 2024

Keychain is a password management system developed by Apple for macOS. It was introduced with Mac OS 8.6, and was included in all subsequent versions of the operating system, as well as in iOS. A keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes. Some data, primarily passwords, in the Keychain are visible and editable using a user-friendly interface in Passwords, a built in app in macOS Sequoia and iOS 18 and available in System Settings/Settings in earlier versions of Apple's operating systems.

History

Keychains were initially developed for Apple's e-mail system, PowerTalk, in the early 1990s. Among its many features, PowerTalk used plug-ins that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to.

The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, implementations of this concept were not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.^{[ citation needed ]}

It was not until the return of Steve Jobs in 1997 that Keychain concept was revived from the now-discontinued PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a web browser. Keychain was later made a standard part of Mac OS 9, and was included in Mac OS X in the first commercial versions.

Storage and access

In macOS, keychain files are stored in ~/Library/Keychains/ (and subdirectories), /Library/Keychains/, and /Network/Library/Keychains/, and the Keychain Access GUI application is located in the Utilities folder in the Applications folder.^[1]^[2] It is free, open source software released under the terms of the APSL-2.0.^[3] The command line equivalent of Keychain Access is /usr/bin/security.

The keychain database is encrypted per-table and per-row with AES-256-GCM. The time at which each credential is decrypted, how long it will remain decrypted, and whether the encrypted credential will be synced to iCloud varies depending on the type of data stored, and is documented on the Apple support website.^[4]

Locking and unlocking

The default keychain file is the login keychain, typically unlocked on login by the user's login password, although the password for this keychain can instead be different from a user's login password, adding security at the expense of some convenience.^[5] The Keychain Access application does not permit setting an empty password on a keychain.

The keychain may be set to be automatically "locked" if the computer has been idle for a time,^[6] and can be locked manually from the Keychain Access application. When locked, the password has to be re-entered next time the keychain is accessed, to unlock it. Overwriting the file in ~/Library/Keychains/ with a new one (e.g. as part of a restore operation) also causes the keychain to lock and a password is required at next access.

Password synchronization

If the login keychain is protected by the login password, then the keychain's password will be changed whenever the login password is changed from within a logged-in session on macOS. On a shared Mac/non-Mac network, it is possible for the login keychain's password to lose synchronization if the user's login password is changed from a non-Mac system. Also, if the password is changed from a directory service like Active Directory or Open Directory, or if the password is changed from another admin account e.g. using the System Preferences. Some network administrators react to this by deleting the keychain file on logout, so that a new one will be created next time the user logs in. This means keychain passwords will not be remembered from one session to the next, even if the login password has not been changed. If this happens, the user can restore the keychain file in ~/Library/Keychains/ from a backup, but doing so will lock the keychain, which will then need to be unlocked at next use.

Third-party software for keychain synchronization

There was a 3rd party software application developed, that enabled synchronization of personal keychains generated using keychain access in Mac OS X, these standard keychain access - generated users keychains could then be synchronised between devices (iPhones - desktop Apple computers), using a pair of keychain synchronization apps developed by Patrick Stein of Jinx Software, one for Mac OS X and another for iOS called Keychain2Go. Keychain2Go could not be successfully updated by the developer to account for restrictions that Apple made to Keychain and access to Keychain in Mac OS X Sierra 10.12.^[7]

Security

Keychain is distributed with both iOS and macOS. The iOS version is simpler because applications that run on mobile devices typically need only very basic Keychain features. For example, features such as ACLs (Access Control Lists) and sharing Keychain items between different apps are not present. Thus, iOS Keychain items are only accessible to the app that created them.

As Mac users’ default storage for sensitive information, Keychain is a prime target for security attacks.

In 2019, 18-year-old German security researcher Linus Henze demonstrated his hack, dubbed KeySteal, that grabs passwords from the Keychain. Initially, he withheld details of the hack, demanding Apple set up a bug bounty for macOS. Apple had however not done so when Henze subsequently revealed the hack. It utilized Safari's access to security services, disguised as a utility in macOS that enables IT administrators to manipulate keychains.^[8]

Related Research Articles

Mac OS 9 is the ninth and final major release of Apple's classic Mac OS operating system, which was succeeded by Mac OS X 10.0 in 2001, starting the Mac OS X family of operating systems. Introduced on October 23, 1999, it was promoted by Apple as "The Best Internet Operating System Ever", highlighting Sherlock 2’s Internet search capabilities, integration with Apple's free online services known as iTools and improved Open Transport networking. While Mac OS 9 lacks protected memory and full pre-emptive multitasking, lasting improvements include the introduction of an automated Software Update engine and support for multiple users.

FileVault is a disk encryption program in Mac OS X 10.3 Panther (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.

Apple Open Collaboration Environment (AOCE) is a collection of messaging-related technologies introduced for the Classic Mac OS in the early 1990s. It includes the PowerTalk mail engine, which is the primary client-side interface to the system, the PowerShare mail server for workgroup installations, and a number of additional technologies such as Open Directory, encryption, and digital signature support.

Apple Remote Desktop (ARD) is a Macintosh application produced by Apple Inc., first released on March 14, 2002, that replaced a similar product called Apple Network Assistant. Aimed at computer administrators responsible for large numbers of computers and teachers who need to assist individuals or perform group demonstrations, Apple Remote Desktop allows users to remotely control or monitor other computers over a network. Mac Pro (2019), Mac mini with a 10Gb Ethernet card, and Mac Studio (2022) have Lights Out Management function and are able to power-on by Apple Remote Desktop.

GNOME Keyring is a software application designed to store security credentials such as usernames, passwords, and keys, together with a small amount of relevant metadata. The sensitive data is encrypted and stored in a keyring file in the user's home directory. The default keyring uses the login password for encryption, so users don't need to remember another password.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

MobileMe is a discontinued subscription-based collection of online services and software offered by Apple Inc. All services were gradually transitioned to and eventually replaced by the free iCloud, and MobileMe ceased on June 30, 2012, with transfers to iCloud being available until July 31, 2012, or data being available for download until that date, when the site finally closed completely. On that date all data was deleted, and email addresses of accounts not transferred to iCloud were marked as unused.

Apple Account, formerly known as Apple ID, is a user account by Apple for their devices and software. Apple Accounts contain the user's personal data and settings, and when an Apple Account is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple Account.

KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices, which normally work with the same copied or shared (remote) password database. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system.

iCloud is a cloud service operated by Apple Inc. Launched on October 12, 2011, iCloud enables users to store and sync data across devices, including Apple Mail, Apple Calendar, Apple Photos, Apple Notes, contacts, settings, backups, and files, to collaborate with other users, and track assets through Find My. It is built into iOS, iPadOS, watchOS, tvOS, macOS, and visionOS. iCloud may additionally be accessed through a limited web interface and Windows application.

<span class="mw-page-title-main">Notes (Apple)</span> Software application for Apple platforms

Notes is a notetaking app developed by Apple Inc. It is provided on the company's iOS, iPadOS, visionOS, and macOS operating systems, the latter starting with OS X Mountain Lion. It functions as a service for making short text notes, which can be synchronized between devices using Apple's iCloud service. The application uses a similar interface on iOS and macOS, with a non-textured paper background for notes and light yellow icons, suggesting pencil or crayon. Until 2013, both applications used a strongly skeuomorphic interface, with a lined, textured paper design; the Mountain Lion version placed this inside a leather folder. This design was replaced in OS X Mavericks and iOS 7.

A lock screen is a computer user interface element used by various operating systems. They regulate immediate access to a device by requiring the user to perform a certain action in order to receive access, such as entering a password, using a certain button combination, or performing a certain gesture using a device's touchscreen. There are various authentication methods to get past the lock screen, with the most popular and common ones being personal identification numbers (PINs), the Android pattern lock, and biometrics.

OS X Mavericks is the 10th major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mavericks was announced on June 10, 2013, at WWDC 2013, and was released on October 22, 2013, worldwide.

XARA is an acronym for "Unauthorized Cross-App Resource Access", which describes a category of zero-day vulnerabilities in computer software systems.

Enpass is a freemium password manager and passkey manager available for MacOS, Windows, iOS, Android and Linux, with browser extensions for all major browsers, and pricing plans for both personal use and business.

Kromtech Alliance Corp. is a Security software organization and IT investment and development company that develops software and provides customer support services for Apple's Mac OS. Kromtech Alliance Corp previously owned and distributed MacKeeper, Memory Keeper, and the anti-theft application Track My Mac.

Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. The platform hosts multiple client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. The platform offers a free US or European cloud-hosted service as well as the ability to self-host.

The iOS operating system utilizes many security features in both hardware and software, from the boot process to biometrics.

Passwords is a password manager application developed by Apple Inc. available for devices running iOS 18, iPadOS 18, macOS Sequoia, and visionOS 2 or higher. The app allows users to store and access encrypted account information saved to their iCloud Keychain or created via Sign in with Apple. Passwords can also be accessed through the iCloud for Windows program.

References

↑ "Mac OS X 10.5 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.
↑ "Mac OS X 10.4 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.
↑ Apple Inc. "Source Browser". opensource.apple.com. Retrieved February 26, 2012.
↑ "Keychain data protection". Apple Inc. May 17, 2021. Archived from the original on December 20, 2021. Retrieved December 20, 2021.
↑ "Mac OS X 10.5 Help: Changing your keychain password". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.
↑ "Mac OS X 10.4 Help: Locking and unlocking your keychain". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.
↑ Stein, Patrick. "Keychain2go keychain synhcronisation software". Jinx Software. Retrieved March 22, 2023.
↑ Newman, Lily Hay (June 1, 2019). "The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack". Wired . Retrieved July 9, 2021.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Mac OS X 10.5 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.

[2] "Mac OS X 10.4 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.

[:0-3] Apple Inc. "Source Browser". opensource.apple.com. Retrieved February 26, 2012.

[4] "Keychain data protection". Apple Inc. May 17, 2021. Archived from the original on December 20, 2021. Retrieved December 20, 2021.

[5] "Mac OS X 10.5 Help: Changing your keychain password". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.

[6] "Mac OS X 10.4 Help: Locking and unlocking your keychain". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.

[7] Stein, Patrick. "Keychain2go keychain synhcronisation software". Jinx Software. Retrieved March 22, 2023.

[8] Newman, Lily Hay (June 1, 2019). "The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack". Wired . Retrieved July 9, 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Classic Mac OS
Versions	System 1 System 2, 3, and 4 System 5 System 6 System 7 Mac OS 7 Mac OS 8 Mac OS 9
Applications	Calculator Chooser Drive Setup DVD Player Finder Graphing Calculator Keychain Access PictureViewer PowerTalk QuickTime Player Network Browser Scrapbook Sherlock Software Update Stickies System Information SimpleText
Developer	HyperCard MacsBug Macintosh Programmer's Workshop ResEdit
Technology	Alias Appearance Manager Apple menu At Ease Balloon help Bomb error Command key (⌘) Control Panel Control Strip Creator code Dogcow Extensions Hierarchical File System HFS Plus Keychain Labels Macintosh File System Macintosh Toolbox Managers MultiFinder Multiprocessing Services Option key (⌥) OSType PICT QuickDraw QuickTime Resource fork Sosumi sound Startup sequence System folder System suitcase Type code WorldScript
Related articles	Memory management Old World ROM New World ROM Software

v t e Password managers
Proprietary	1Password Apple Passwords Bitwarden Dashlane Enpass Intuitive Password Keeper LastPass Microsoft Autofill Myki NordPass Pleasant Password Server RoboForm SafeInCloud
Open source	Factotum GNOME Keyring KeePass KeePassXC KeeWeb Keychain KWallet OnlyKey Pass Password Safe Proton Pass Seahorse
Discontinued	Encryptr Firefox Lockwise Gator eWallet KeePassX KYPS Mitro Offer Assistant
Category List of password managers