How To

Create a Non-Login Keychain

Posted on August 26th, 2011 by

You probably use Mac OS X’s keychain to store user names and passwords. This is an encrypted file that gets “unlocked” when you log in to your Mac, in normal circumstances, and allows software to access data belonging to you. For example, when your e-mail program wants to check for new messages, it needs to send a user name and password; it gets the password from the keychain and sends it to the mail server.

By default, Mac OS X creates a keychain for you called “login,” and this keychain gets unlocked as soon as you log into your Mac. This means that if you use automatic login, not only are your files accessible, but your keychain is unlocked, so anyone who accesses your Mac can get your e-mail, or even access web sites for which you have saved passwords in your keychain.

The first thing to change is to turn off automatic login, which we discussed in a recent Mac security tip. But another security precaution to take is to create a non-login keychain, so when you do log in, your keychain stays protected until you enter a password.

To do this, open Keychain Access (in your /Applications/Utilities folder), then choose File > New Keychain . The program will ask you to name the keychain - you could use your user name or any other name - and then a password. Don’t use the same password that is assigned to your user account; the point of creating a second keychain is to have a different password in case your account is compromised.

After you’ve done this and created the keychain, it will appear in the sidebar of the Keychain Access application. Next, click on the login keychain, select all the items in the right-hand section of the window, and drag them to the new keychain. You’ll have to enter your password to do this. Moving these items means that they won’t be unlocked when you log in, and that they’ll only be available from your new keychain.

When you next try to access an item in the keychain, you’ll have to enter your password; not your user account password, but the one for the keychain you just created. By default, the first request unlocks the keychain, and the keychain will lock again in 5 minutes. If this is too soon, you can change the amount of time before it locks; you could choose, say, 30 minutes, so you don’t have to enter your password too often.

To do this, choose Edit > Change Settings for Keychain. By default, this is set to lock again in 5 minutes. It’s best to leave Lock when sleeping checked, especially if you have a laptop. This means that whenever you close the lid of your laptop, the keychain will be locked. If anyone steals your laptop, your passwords will be protected. And, since they don’t depend on the password for your user account, ever if a thief resets the password for your account, they won’t be able to access your top-secret credentials.

Creating a separate keychain is the best way to protect your passwords from being discovered. Since the keychain password is different from your login password, the protection is doubled, and as long as the password isn’t easy to figure out, no one will be able to access your passwords.

  • Anonymous

    As a newer user to Macs, it hadn’t occurred to me that I should do this to increase security on my MacBook.  I followed your steps to create a non-login keychain, but ultimately decided to move only the most secret or sensitive items into my new keychain. Worked like a charm.

    Thanks for the Mac security tip! 

  • Anonymous

    Thanks for the reminder

  • Anonymous

    Having a second keychain for information you consider very sensitive makes sense. But you also have to get the balance right between security and usability. In my normal login keychain I have passwords, keys, and certificates for my email accounts, FaceTime, Evernote, FTP access to my web site and my NAS, Skype & GoogleReader password (NetNewsWire), and the password to my encrypted Time Machine volume (so it can be mounted at startup). For web passwords I use a separate password manager.
    My other (‘secure’) keychain has passwords to disk images containing sensitive personal data, documents or photos.

    And locking the login keychain after 5 mins – I had that long long ago. It was such a pain!!! Now it only locks when my mac goes to sleep. So much better. Just put your mac to sleep or lock the screen when you leave it. 

    Also, even if a thief (who is actually interested enough in your data instead of just selling the device) manages to reset your user account password – he cannot access the data stored in your login keychain unless he knows the original password. The login keychain password will NOT be reset to the one chosen by the thief.