How To

Create a Non-Login Keychain

Posted on by

You probably use Mac OS X’s keychain to store user names and passwords. This is an encrypted file that gets “unlocked” when you log in to your Mac, in normal circumstances, and allows software to access data belonging to you. For example, when your e-mail program wants to check for new messages, it needs to send a user name and password; it gets the password from the keychain and sends it to the mail server.

By default, Mac OS X creates a keychain for you called “login,” and this keychain gets unlocked as soon as you log into your Mac. This means that if you use automatic login, not only are your files accessible, but your keychain is unlocked, so anyone who accesses your Mac can get your e-mail, or even access web sites for which you have saved passwords in your keychain.

The first thing to change is to turn off automatic login, which we discussed in a recent Mac security tip. But another security precaution to take is to create a non-login keychain, so when you do log in, your keychain stays protected until you enter a password.

To do this, open Keychain Access (in your /Applications/Utilities folder), then choose File > New Keychain . The program will ask you to name the keychain – you could use your user name or any other name – and then a password. Don’t use the same password that is assigned to your user account; the point of creating a second keychain is to have a different password in case your account is compromised.

After you’ve done this and created the keychain, it will appear in the sidebar of the Keychain Access application. Next, click on the login keychain, select all the items in the right-hand section of the window, and drag them to the new keychain. You’ll have to enter your password to do this. Moving these items means that they won’t be unlocked when you log in, and that they’ll only be available from your new keychain.

When you next try to access an item in the keychain, you’ll have to enter your password; not your user account password, but the one for the keychain you just created. By default, the first request unlocks the keychain, and the keychain will lock again in 5 minutes. If this is too soon, you can change the amount of time before it locks; you could choose, say, 30 minutes, so you don’t have to enter your password too often.

To do this, choose Edit > Change Settings for Keychain. By default, this is set to lock again in 5 minutes. It’s best to leave Lock when sleeping checked, especially if you have a laptop. This means that whenever you close the lid of your laptop, the keychain will be locked. If anyone steals your laptop, your passwords will be protected. And, since they don’t depend on the password for your user account, ever if a thief resets the password for your account, they won’t be able to access your top-secret credentials.

Creating a separate keychain is the best way to protect your passwords from being discovered. Since the keychain password is different from your login password, the protection is doubled, and as long as the password isn’t easy to figure out, no one will be able to access your passwords.