Safe Computing
Home Students Faculty and Staff IT Security Community

Understanding Password Security on Your Mac

Even if you believe you’re the only person who has access to your Mac, think again. Do you have roommates? Do you invite people to your home? When you’re on campus, do you ever leave your Mac for a few minutes, even if it’s with a friend? Do you leave it in your unlocked office?

Why should you care? You probably already know the answers, but:

  • How valuable is the data you keep on it? Research, school work, personal—leave your Mac unprotected and it can all become someone else’s.
  • Working on a special report? Would you really notice if someone messed with it?
  • Think how easy it would be to send e-mail in your name. It would be especially embarrassing if it’s done maliciously and hard to prove it didn’t come from you.
  • What about passwords? Are you like many people who leave them accessible on your computer?

This document will help you understand how you can protect yourself by protecting access to your Mac.

Always Log In

There are two parts to logging in when using a password—turning your Mac on and waking it up from sleep or a screen saver.

Turn Me On

Set your Mac to require a password after starting up.
  1. Under the Apple menu, select System Preferences.

  2. In the System Preferences window, click Accounts.

  3. In the Accounts window:

    1. Select your account.
    2. If the Lock icon looks closed, click it. You’ll be asked for the password you chose when you created this account; this is the same password you may already use to log into your Mac. Enter it and click OK.
    3. Click Login Options.
    4. Set the Automatic Login pull-down menu to Off.
    5. Click the opened Lock icon to close it.

Wake Me Up

You’re only half protected if you don’t require a login after you wake your Mac or when it comes out of screensaver mode.

  1. Start System Preferences again.

  2. Click Security.

  3. In the Security window, click the Require password to wake this computer from sleep or screen saver checkbox.

Keychain

Your Mac’s Keychain is a valuable password management tool that few Mac users understand. Within your Keychain you can securely store all your passwords for applications, servers and websites; cryptographic keys and certificates; and even information unrelated to your computer, such as credit card numbers or personal identification numbers (PINs).

Your Mac Keychain requires a secure password to access all of your passwords and other information stored within the Keychain file. If you lose your Keychain password, in most cases it can be reset; however, this is not failsafe. Always have a backup location or document with your passwords in the event you lose your Keychain password and it cannot be reset. Refer to Resetting Your Keychain Password.

A program called Keychain Access allows you to manage your Keychain(s). You will find it in the Utilities folder within your Applications folder.

Your default Keychain—called login—automatically unlocks when you log in to your user account. You can set this Keychain so that it does not unlock until you enter a password or always stays locked, which would require your password every time your Mac wants to access it.

If these methods sound tedious to you, here’s a secure alternative. Keep regularly used data that does not need to be private in your login Keychain. These may include some website logins, certificates, and access to your home wireless network. Create additional Keychains with unique passwords for items you want to remain secure until you need the information—work-related servers, online banking logins, personal information such as credit and debit card numbers. You can create as many Keychains as you like.

Making It Easy

Make it easy to access your Keychain(s) by adding the Keychain icon—a lock—to your Menu Bar.

  1. In the Utilities folder within Applications, click Keychain Access.

  2. In the Keychain Access menu, click Preferences.

  3. In the Preferences dialog box:

    1. Click the General tab.
    2. Select the Show status in Menu Bar checkbox.
  4. Click the Keychain lock icon in the Menu Bar to show and alter the status of your Keychain(s).

Making More Keychains

Now it’s time to create at least one more Keychain that will not automatically unlock when you log in.

  1. Under the Keychain lock icon in the Menu Bar, select Open Keychain Access.

  2. In the File menu, click New Keychain.

  3. In the New Keychain dialog box, enter the name you wish to call this Keychain in the Save As field. Click Create.

  4. Enter a password for your new Keychain, and then—in the Verify field, enter it again. Click OK.

  5. Under the Keychains list in the Keychain Access window, select your new Keychain.

  6. In the Edit menu, click Change Settings for Keychain [name].

  7. In the Keychain Settings dialog box:

    1. Make certain that the first two checkboxes are selected.
    2. In the first item, set the number of minutes of inactivity before the Keychain locks. Shorter is safer.
    3. Click Save.
  8. Add items that you want to reside in this Keychain.

    • If an item already exists in the login (or other) Keychain:

      1. Under the Keychains list in the Keychain Access window, select the Keychain you want to move an item from—for example, login.
      2. Click and drag the item to your new Keychain in the Keychains list.
    • Allow items to be added to your Keychain as you go about your normal day-to-day activities. They will most likely appear in your login Keychain but you may not know they were added, so check periodically and move items to another Keychain as desired.

    • Create a new item for the Keychain: HINT: This option is best suited for highly technical individuals. In step c, the correct information to insert into Keychain Item Name and Account Name can vary widely and may not be what you might expect. Before proceeding, spend some time double-clicking items in your login Keychain to get a sense of required information.

      1. Under the Keychains list in Keychain Access, select the Keychain that you want to add an item to.
      2. In the File menu, select New Password Item.

      3. In the dialog box, enter the required information and click Add. Refer to the HINT above for suggestions.

Controlling Application Access

In general, you should limit the applications that have access to a Keychain item. Doing so provides you with extra security. Keychain does this automatically when it creates an item for you.
  1. In Keychain Access, double-click the item you want to limit.
  2. In the dialog box:
    1. Click the Access Control tab and if prompted, enter that Keychain password.
    2. If desired, select the Ask for Keychain password checkbox.
    3. To add an application, click the + (plus) button and browse for the application.
    4. To delete an application, select it and click the – (minus) button.
    5. Click Save Changes.

Using Secure Notes

A secure note is simply text you've entered, or pasted from elsewhere, which cannot be viewed without supplying the right password. Use this for securing credit card or bank account numbers, for example. We recommend you use a different Secure Note for each item.

Keep the chosen Keychain locked until you need to access its contents.

  1. In Keychain Access, select a Keychain other than login, or create a new Keychain. Refer to the Making More Keychains section above.
  2. Under the File menu, select New Secure Note Item.
  3. In the Secure Note window:
    1. in the Keychain Item Name field, enter a name for your note.
    2. in the Note section, enter the information you want to securely stored.
    3. Click Add. If prompted, enter the password for that Keychain.

Locking and Unlocking Keychains

There are several ways to lock and unlock a Keychain.
  • Click the Lock icon in the Menu Bar and make your choice.
  • In Keychain Access:
    • in the Keychains list, right-click the Keychain name and make your selection. SINGLE-BUTTON MOUSE? Hold down the Control key and click the name.
    • in the Keychains list, select the Keychain name, then click the Lock icon in the upper-left Keychain Access window.

Retrieving Passwords

  1. In Keychain Access:
    1. Under the Keychains list, select the appropriate Keychain.
    2. Double-click the item that has the password you want to retrieve.
  2. In the Base Station dialog box, select the Show password checkbox.
  3. In a new dialog box, enter the password for the Keychain that the item resides in and click Allow.
  4. In the Base Station dialog box, the password for the item appears.

Resetting Your Keychain Password

If you forget your Keychain password, you can reset it to your user password. This allows you to access your Keychain but doesn’t change any of the passwords or encryptions within it.

The following Keychain reset procedures are not failsafe. If you cannot reset your Keychain password you will lose all the passwords and other information stored within that Keychain file. We recommend that you create a backup document or other safe location for your passwords in the event you lose your Keychain password.

To reset your Keychain password in Mac OS X 10.4, Mac OS X 10.5, and Mac OS X 10.6 Snow Leopard or later:

  1. Open Keychain Access and click Preferences.
  2. In the General tab, click Reset My Default Keychain.
  3. Enter your login password.
  4. Click OK and then restart your computer.

Additional Resources

Secure Your Computer (Mac)