|
|
 Power of
the Keychain
An addendum was added to this article on
November 9th. Click here to jump
to it.
The Problem
Passwords are everywhere and continue to accumulate in
the financial, educational, corporate, and personal
levels of our societies. Passwords keep nonpaying
visitors from accessing member sections on various
websites, while educational institutions require a login
to restrict the usage of subscribed services or online
classes. Financial institutions require account and PIN
numbers for online banking, and individuals encrypt
sensitive files with passphrases. Keeping track of all
these passwords, passphrases, and logins without
compromising security is a daunting process. Writing them
down may defeat the purpose of even having passwords, and
forgetting them… well, let’s not even entertain
that thought. So what’s the common, memory
lapse-prone Mac user to do? Apple’s under-utilized
and often misunderstood Keychain may just fit the
bill.
A Brief History
Keychain has had a rough childhood, originally coming
into this world with the introduction of Apple’s
PowerTalk software in System 7.5. Alas, PowerTalk
didn’t hold up among the Mac faithful, partly due to
its hefty memory requirements, and thus the technology
along with it’s Keychain feature was discontinued
and unsupported by the time Mac OS 8 came on the scene.
Keychain, however, didn’t slip into total oblivion.
Obviously someone at Apple saw enough potential in the
feature to salvage it from PowerTalk’s grave and
resurrect it in Mac OS 9, but why do so many Mac users
still forbode this security tool that’s come back
from the dead? Maybe they haven’t taken the time to
get properly acquainted, or perhaps they haven’t
seen past the annoying confirmation dialog boxes.
Whatever the case, this article will show you the power
of Keychain and why I consider it to be one of the best
features of OS 9.
A Solution
So what exactly does Keychain have to offer? Put
simply, it stores frequently used passwords and uses them
automatically when needed. However, most email and FTP
programs, for example, can already do this, but the
concealing of those passwords and the ability of users to
readily access password-protected content is contingent
upon how security-conscious each of the developers is.
Keychain encrypts these passwords in a centralized
location called (surprise) a keychain and uses them
automatically only when it has been unlocked with a
master password. Even if one is left unlocked, a password
can be used but cannot be revealed without re-entering
the master password.
This is the Keychain Access control panel. You select
the keychain you wish to unlock from the popup menu and
type the password in the field below. Pretty
straightforward, huh?
After unlocking the desired keychain, a listing with all
the stored passwords appears. A keychain can store
several different types of passwords, the most common
being an Internet password and another type being an
AppleShare password.
The Pet Peeve
As stated earlier in this article, one of the major
reasons for Keychain’s lack of acceptance among Mac
users has been its confirmation dialog boxes. By default,
it is very conservative about automatically entering
passwords, asking at each occurance for the user’s
permission. Two checkboxes in the confirmation dialog box
supposedly limit the likelyhood of future apperances
under the same circumstances, but I, along with several
other Mac users, am not convinced that these checkboxes
do anything. Here are the steps to get rid of these
annoying warnings for good:
- Unlock your keychain via the Keychain Strip CSM or
the Keychain Access control panel.
- Select the menu item ending with
“Settings…” from the Edit menu.
You’ll need to re-enter your password to gain
access to these settings.
- Check the “Allow access without warning”
checkbox and click the Save button.
Now anytime a password from an unlocked keychain is
used automatically, you’ll just hear a key rattling
sound. This should drive a stake through the heart of
what I feel is the number one Keychain pet peeve.
These settings can only be accessed after re-entering a
keychain’s master password. From here you can change
the master password, turn off confirmation warnings, and
automatically lock the keychain again after a certain
idle time or when the system is put to sleep.
Keychain Support
Keychain may sport some pretty convenient features,
but its power can’t be harnessed in applications
unless developers support it. So, what programs already
support Keychain? Well, let me give you some examples of
what I use and how OS 9’s Keychain makes my life
easier.
Eudora, a popular email program, has an option buried
in the Miscellaneous preferences for storing email
account logins in a keychain. This comes in handy for me
as I check three different accounts daily, and I know
that no one can download my email from my computer unless
my keychain is unlocked.
iCab, a small browser that is surprisingly functional
even though it’s still in the beta stage, offers the
option in its password preferences section to save
authentication logins in the keychain. This is the only
browser that I know of which offers this feature! Any
website that uses the standard authentication dialog box
can store its login info in the keychain for automatic
entry in the future, a boon for quick, seamless access to
members-only sections on various websites. This feature
is one of the main reasons why I switched to iCab for
most of my browsing.
Transmit, an FTP client, can store server login
information in the keychain for quick, effortless
connections. To add a login to the keychain simply type
in the server address, your username and password, and
the destination directory and choose “Add this to
keychain…” from the popup menu in the upper
right. The keychain provides easy access while still
preventing other users from making an FTP connection with
your password, provided that your keychain is locked.
The Possibilities
Mac OS 9’s Keychain provides convenience in
password management while still providing security.
Passwords are automatically entered only when you’ve
unlocked the keychain with the master password.
Otherwise, they remain securely hidden in an encrypted
keychain file. Multiple keychains can be created for
different password sets, and keychain files can easily be
transferred to another Mac for quick, easy access to
passwords when you’re away from homebase. With Mac
OS 9’s security features, files can be encrypted and
the password stored in a keychain file. The keychain file
could then be distributed to others who could now decrypt
any files scrambled with that password. After some
resource spelunking with ResEdit, I found evidence of at
least proposed support for certificates and two-way
encryption keys. Imagine having PGP-like functionality
integrated at the system level! All of this gets a
propellor head like me excited, but hopefully you can see
why the Keychain feature can be such a useful tool for
day-to-day use, not just for special circumstances.
Jeremy
Hoesly
ResExcellence Software Tester
October 20, 2000
The Blue Theme, available at MacThemes, was used in
the screenshots.
An Addendum (November 9,
2000)
Ken McLeod, one of the Keychain engineers, set the
record straight concerning the confirmation dialogs. He
stated that the first checkbox has the same effect as the
“Allow Access Without Warning” setting, while
the second checkbox allows an application to access a
password without warning as long as it is running. That
setting is not kept after the program is quit because
“there’s no way in Mac OS 9 for the Keychain to
know later that another application [with the same name]
is the same one you trusted to access your passwords
before.” If the Keychain is set to allow
unrestricted access to passwords, then a program designed
with malicious intent is able to grab them. I did not
consider such a dangerous scenario, and I apologize for
not informing you readers of such risks prior to giving
instructions for disabling the confirmation safeguard.
Ken says that the Keychain feature in OS X, while
unchanged in the Public Beta, is likely to provide more
transparent security.
Support ResExcellence by Visiting our Sponsors!
|
