Securly storing passwords in keychain on mac


As with anyone nowadays i have a ton of passwords, and keeping track of them is a real pain, especially when you also have to remember database and server passwords.

I was looking at using the keychain application that comes with OSX to store these is this a good idea, is it secure ?

I know that it only shows you the password in plain text if A) have access to the machine and B) if you enter your machines user login password - so from the front end it seems ok, but is it safe on the Backend ?


Posted 2013-09-10T20:15:58.683

Reputation: 3 411

A cross-site duplicate of How secure is Keychain on OS X?

– slhck – 2013-09-10T20:24:03.880



I know that it only shows you the password in plain text if A) have access to the machine and B) if you enter your machines user login password

B is true for Keychain Access but not for the security system in general. If the login keychain is unlocked, like it is by default when you are logged in, you can use security to see all passwords in the login keychain without having to enter any password:

security dump-keychain -d ~/Library/Keychains/login.keychain

security find-internet-password -s -w

You only have to press an allow button and the password is shown in plain text. Actually it's weird (and misleading) that Keychain Access and Safari do require entering the password of the keychain when you try to show a password.

There are at least three ways to reset the login password in single user mode or from the recovery partition. None of them reset the password of the login keychain though. If you try to log in after resetting the login password, you can't see any passwords in the login keychain, use auto-fill in Safari, or log in automatically in Mail. But if for example you use a Gmail address for your Apple ID, you have enabled automatic login in Gmail's web interface, and you don't use two-step verification for the Apple ID, an attacker could use the Gmail account to reset the Apple ID password. If the "Allow user to reset password using Apple ID" option in the Users & Groups preference pane is enabled, the attacker could then use the Apple ID to reset the password of the login keychain.

The hash of the login password is stored in /var/db/dslocal/nodes/Default/users/username.plist in 10.7 and 10.8. If your login password (which is usually also the password of the login keychain) is simple enough, the hash can be cracked in a practical amount of time with DaveGrohl:

$ sudo dave -u $USER
-- Loaded PBKDF2 (Salted SHA512) hash...
-- Starting attack

-- Found password : 'y8d'
-- (incremental attack)

Finished in 879.274 seconds / 31,385 guesses...
35 guesses per second.

10.7 used a weaker key derivation function, which made it easy to crack even relatively complex passwords. 10.8 switched to PBKDF2, which limits cracking tools to about 10 guesses per second per core.

If you have enabled automatic login, the password of the login keychain is stored in /etc/kcpassword in an easy to decrypt form as of 10.8.

If you want to allow someone to use your account but not see passwords with security, you can lock the login keychain from Keychain Access or with security lock-keychain.

When you are away from the computer, you can lock it by for example checking "Require password immediately when after sleep or screensaver begins" from the Security preference pane and pressing control-shift-eject to turn off displays.

You can also enable locking the login keychain automatically from Keychain Access.

If you want to prevent people who have physical access to your computer from starting up in single user mode (and resetting the login password or seeing the hash of the login password), enable FileVault 2.


Posted 2013-09-10T20:15:58.683

Reputation: 34 501

Someone with physical access would also need to be able to login to your and/or an admin account, though correct? You can't just open up the guest account and dump the keychain without a sudo password. This sounds like more of an airtight hatch vulnerability. – Neil Neyman 1 hour ago

– Neil Neyman – 2013-09-11T01:54:10.370

@NeilNeyman Yeah, they'd have to login, and if the password of the login keychain is different from the login password, they'd also have to unlock the login keychain. I wasn't saying it's a vulnerability, but Keychain Access and Safari do require entering the password of the keychain when you try to show a password, so it can be surprising that security doesn't, even though that's how the keychain system works in general. – Lri – 2013-09-12T11:39:12.967


Any kind of datastore that allows you to get the plain-text representation of a password will be vulnerable. If it's reversible, it means it's brute-force reversible as well.

That said, Apple Keychain uses Triple DES, which is not likely to be brute-forced. Note that only the password and Secure Notes are encrypted.


Posted 2013-09-10T20:15:58.683

Reputation: 5 938