OS Keychain

Can save passwords. Default login keychain has password that matches your user password. You can change this but causes two step issues.

Default keychain no longer syncs across macs. Lost this when mobileMe turned into iCloud.

You could have secondary keychain file or use a symlink to cause syncing across dropbox. This still only helps OSX. It is no good on iOS devices.

Keychain Properties:

  1. Synchronize with login password.
  2. Set as default keychain.
  3. Keep unlocked.

Keychain verify/repair command:

  1. Open up the keychain application
  2. On menu, Choose Keychain First Aid.
  3. It will want your password for the keychain that you had selected when you chose First Aid.
  1. Usually this is your default login keychain and that password is your login password.
  2. Technically it does not have to be the same. In my experience it was too annoying to make them different. I did maintain a different keychain more sensitive passwords till 1Password came along.

You can dictionary attack keychain files.


If you use the single user mode password reset trick because you forgot your user password you can log into your mac but it does not reset your login keychain password. This is assuming also that you have not implemented hard drive encryption such as filevault 2.


The Keychain Containers

1) Passwords: This is what we expect from keychain

2) Secure Notes: Text note container.  1Password can do this as well but 1Password can embed images.

3) My Certificates: These are from ones you add yourself for services like encrypting/signing email.

4) Keys: Public/Private keys.  Some automatic like iChat encryption keys. Some you obtain and add like mail encryption.

5) Certificates: The majority of what is in this container is all the trusted SSL Certificates.

Type CNNIC in the search field. This is a trusted China root certificate. That means anything they sign will show up as trusted in your web browser, not cause prompts by most applications etc. I right clicked mine, Click Get Info, Expand Trust and I changed to Never Trust across the board via “When Using this Certificate”