1 Reply Latest reply: Nov 19, 2010 7:58 AM by thomas_r.
martinneep Level 1 Level 1 (5 points)
I need some help understanding the purpose of Keychain Access, as it stands I just don't get it???

For exmaple...

I log on to Facebook, and my user ID and password are saved in a keychain. What is the point of this? If I double click on the entry in keychain and select 'ask for keychain password', it makes absolutely no difference. Next time I navigate to facebook, it still logs in automatically, no password required???

I just don't see what security benefits it brings. If anything, I see it as a security flaw. It's a place where somebody can go on my system to copy down every single username and password that I have stored!
  • thomas_r. Level 7 Level 7 (30,120 points)
    Your keychain is an encrypted place that you can store many passwords. However, with the default settings, your keychain is automatically unlocked when you log in. Leaving your computer unattended while logged in with an unlocked keychain is a security risk, yes. If you lock your keychain, however, nobody's getting access to it. Even if someone were to reset your account password, they'd still have to know the keychain password (identical to the old account password by default) to open it. And, note that, although someone can log in to, say, your Facebook account on your machine that has been left unattended, they cannot see the passwords themselves unless they know your password.

    If you don't like the way it works, you have two options. One is to refrain from storing passwords in the keychain. You are always asked, usually via a check box in the password request dialog, whether you want to store a password in the keychain, and in Safari, you can simply turn off all Autofill settings.

    Alternately, you could change your keychain password so that it is not the same as your account password. This means you will have to unlock it every time the OS wants a password. You can also use Keychain Access to set it to lock automatically after x minutes or when sleeping, and can show the menu icon for an easy way to lock/unlock the keychain manually.

    Ultimately, if you're leaving your machine logged in, unattended and with untrusted people, you could have bigger problems than an unlocked keychain.