The Keychain

For top security, your usernames and passwords belong in the keychain

Whatever, you want to do with your Mac, iPhone or iPad, you need to prove who you are using authentication. Although there are alternatives based on physical devices or biometrics, from first logging on to shutting down, this normally means a succession of usernames and passwords. Whether you’re connecting to Facebook or paying the Inland Revenue online, many things in life demand authentication.

Maximum security: OS Xs keychain the a safe place to store all of your usernames and passwords

In early versions of Unix, usernames and passwords were stored in a weakly pro­tected text table. Hackers quickly learned that once you managed to steal that table, it was only a matter of time before you could decrypt its passwords, and they were then able do whatever they liked on that system. As the Mac OS was becoming better geared to multi-user and network use, back in the days of System 8.6, Apple realised that there needed to be a better repository of authen­tication information, the keychain. This was originally intended for use in Apple’s email system, PowerTalk, to enable you to con­nect to a range of different mail servers and work with several mail accounts. It was then incorporated into OS X as a generic system service, open to all applications.

A keychain - and OS X and iOS rou­tinely handle multiple keychains - is simply a container in which passwords and other sensitive information are kept in encrypted form. When OS X, iOS or an application requires details for authentication - for example, when a website prompts you to enter your username and password - this can be looked up in the keychain and automatically passed to complete the authentication process without you having to type in everything from memory.

Keychains store more than just user­names and passwords. They also hold copies of security certificates that are used to verify the authenticity of sites and services, cryptographic keys that you might use in encryption tools such as X, and text notes (in OS X, not iOS) that let you add arbitrarily information, perhaps the answers to security challenge questions, or similar. Only pass­words, keys and the contents of notes are held in encrypted form within the keychain, but the method used to encrypt them (TripleDES) is extremely resistant to attack: while the professionals in national security agencies might be able to break into them, even a highly skilled hacker can’t. It’s worth noting that certificates aren’t encrypted, but remain accessible.

Macs and iOS devices always have multiple keychains

Macs and iOS devices always have multiple keychains, which can be open simul­taneously. OS X keeps these in the Keychains folders in your Home Library folder, in the top-level Library, and libraries of certificates and some other system-related informa­tion in /System/Library. Generally speaking, those specific to each user are kept in their personal keychains in their Home Library, while those required for all users are kept in the Library folders that are accessible to all users. Servers also keep keychains in the Network Library folder, for access by net­worked clients.

First Aid inside repair functions that once were in the separate First Aid utility are now integral; it also has settings to control automatic locking

iOS is different, as it keeps its apps run­ning apart from one another in ‘sandboxes’, limiting their access to shared facilities as much as possible. So each iOS app has its own separate keychain and can’t access those owned by other apps: hence password details stored by the iOS version of Safari shouldn’t be available to other apps that might have web access, for example.

Apple’s Keychain is a trademarked implementation built on the open-source Common Data Security Architecture (CDSA) and its interface Common Security Services Manager (CSSM), but those aren’t universally supported on other systems. Conforming Mac applications, such as Apple’s Mail and Safari, enjoy full access to keychains: log onto most sites using Safari and it will store and recall your username and password, just as it will also try to auto- complete web forms when set to do so. Not all sites permit that, and sometimes Safari doesn’t recognise prompts for authentica­tion made on a different page from that which Keychain is used to.

Apple’s Keychain is a trademarked implementation built on the open-source Common Data Security Architecture (CDSA)

Your default personal keychain is named ‘login’ and, as that suggests, is opened when you first log into that account on your Mac. Once opened, any application or service can request passwords and other information from that keychain without your further authentication. However, once the keychain is locked, any encrypted information con­tained in it is only accessible when you have authenticated again by entering your user­name and password.

In normal circumstances, requests for protected information in a keychain should only come from trusted software. However, if a hacker gains access to your Mac or iOS device, perhaps by getting a Trojan onto it that could easily try to steal passwords from keychains. Accordingly it’s good security practice to keep keychains locked as much of the time as possible. Then any Trojan that tries to access passwords will have to prompt you to enter your username and password, which should trigger your suspicions and let you refuse their request.

By default, the password used to authenticate for access to encrypted infor­mation in a keychain is the normal password that you use to log onto OS X. You can change the keychain access password inde­pendently of those for users, and another good way of increasing the security of your system is to require a different and even stronger password for keychain access.

Keychain access allows you to store text notes of arbitrary content, which are encrypted into the keychain of your choice

Keychain Access Keychain access, in the Utilities folder in your main applications folder, is the one-stop tool for checking, edit­ing and controlling entries in OSX keychains. When opened, it gives you the choice between all the different keychains of which it’s aware on your Mac, in the top left of its window, dif­ferent classes of item stored in each chain below that, then a listing of those items in the main area. If you’ve forgotten a username and password, and it hasn’t been autocom­pleted by Safari or another application bearing the prompt, locate the site or service in the list of Passwords, and double-click on it to view its settings. You may then need to authenticate to unlock the keychain before you can view the password that has been set. Use similar processes to change details, such as when you start using a new password, and to clear away expired certificates, passwords and the like. Store sensitive text information in encrypted form as a note, if you wish. You can also view which applica­tions are set to have instant access to each item in a keychain by opening the item and clicking on the Access Control tab. This doesn’t prevent other applications from being able to gain access, but you’ll be prompted to permit this, either as a one-off or to add the application to that Access Control List (ACL). Keychain First Aid used to be a separate utility, but the ability to check the integrity of a keychain and repair it if necessary has now been rolled into the single application, accessed through its entry in the Keychain Access menu. You can also use its padlock icon to lock your keychain immediately, and preference settings to force automatic locking for addi­tional security. OSX uses Access Control Lists (ACLs, the same as those used for extended file permissions in the finder) to protect individual items within a keychain. These also list those applications that are trusted to access each encrypted item in the keychain. This means that if Safari is one of the trusted applica­tions for your online banking password, and your keychain is left unlocked, when you log onto the online service using Safari, you won’t be prompted to authenticate in anyway. If your keychain is set to lock itself automatically, you’ll be prompted for your username and password before Safari can unlock the keychain and complete your user­name and password.

 

If an untrusted application tries to obtain the password for your online bank­ing service from your keychain, even if the keychain is left unlocked, you’ll be prompted with a dialog asking you if you wish to grant it permission to access that item in your keychain. If the keychain is unlocked, you’ll not be asked to authenticate, but that dialog is intended to provide an additional layer of protection from malware, for instance.

Security dialogs that allow setting or editing of passwords can normally bring up Password Assistant, here suggesting a ‘memorable’ password

Information stored in your keychain is important and needs to be carefully backed up. Policies differ between OS X and iOS: Macs that use Time Machine or other tools to keep backups of the contents of library folders automatically back up the key- chains stored there. However, iOS devices don’t include keychains in their backups performed through iTunes. Either way, it’s most important that you keep independent records of all important access and other details that should be stored in your key­chains. Accidental corruption is unusual, but does occur; keychains are a potential target for destructive malware, and clumsy efforts to break into them could lead to damage.

Set Password Assistant’s type to Manual and you can use it to evaluate the strength of your existing and intended passwords

Armed with this understanding of how keychains work, you should be able to keep your Mac and iOS devices more secure, and cope with occasional glitches.

Robust passwords Your security is only as good as the passwords that you use. If they’re easy for potential intruders and online criminals to guess - and you’d be shocked at how many people still use ‘password’- then your account(s) will be compromised and your identity could be stolen as well. Be very wary of using the same password for different services and systems: if one becomes compromised and your details stolen, a criminal could use that to gain access to your other accounts, such as online banking. One of the main purposes of keychains is to allow you to use a rich range of passwords that can’t be broken easily, but which would be more difficult for you to remember and have to keep typing in manually. It includes an excellent service to suggest and test the strength of different passwords, Password Assistant. Password Assistant is launched whenever you click on its special key icon, which is normally found in the right of any system dialog that prompts you to create a new or edit an existing password. An easy way of gaining access to it is to open a password item in Keychain Assistant, where its icon is then shown immediately after the password. Passwords can be suggested according to several different criteria, the most useful of which is generally the Memorable option. Try to make their length 12 characters or more, and never use any password that’s shorter than eight. Most people can think of more memorable passwords that contain combinations of small and capital letters, digits and non-standard characters such as punctuation marks, rating highly in Password Assistant’s strength indicator. Avoid using words that could be discovered from a dictionary search, which includes most personal and place names, as that’s a common strategy to break passwords.