Keychain Access is an Apple app in macOS that stores passwords and other login information — and it has a few features that go beyond iCloud Keychain. Here's how to get the most out of it.
Hidden inside the Utilities folder in the Applications section of Finder, Keychain Access doesn't immediately announce its presence. Safari stores usernames and passwords but that interface is more of a different way into Keychain Access. Before shopping around online for a third-party password manager, consider the Mac's built-in utility.
Keychain Access contains the various keys, passwords, and certificates created by the system with options for editing and deleting. In addition, it includes two features not found in iCloud Keychain: secure notes and a password generator.
Apple's macOS shows a dialog box in various places such as Safari to save login information. Keychain Access stores this information and optionally propagates it to other devices through iCloud Keychain.
Getting started
On the Mac, syncing is available in System Preferences > Apple ID. A box next to Keychain Access may be checked or unchecked to sync login information. Keychain Access stores other data types, including certificates, secure notes, and Wi-Fi passwords.
Keychain Access is found by typing the name into Spotlight and inside the Utilities folder within the Applications section of Finder. The app manages multiple keychains, such as iCloud, login, System, and System Roots.
The app lists various keychains in the left menu, and clicking one displays the items within that keychain. Each list includes the item name, its kind, its location, and the modified date.
Wi-Fi passwords are listed as "AirPort network passwords" in the Kind section, while app passwords are listed as "application passwords." "Web form passwords" are usernames and passwords created through Safari.
The system automatically stores most items in Keychain Access, and includes a Password Assistant that creates strong, unique passwords according to different rules.
Basic features of Keychain Access
Keychain Access has many features typical of a password manager, such as a password generator and secure notes, as well as a unique feature available only to a system such as macOS.
Generating a password
Safari can automatically generate a unique password for websites, with an option to edit them in iOS 16. But Keychain Access acts more like a traditional password manager, with password length and character configuration that includes letters, numbers, and special symbols.
To get started, open Keychain Access and click on the Passwords tab. Next, click on the square icon with a pencil to create a new keychain item. In the window that appears, click on the key icon next to the password field. Another option is to click on File > New Password Item in the menu bar or press Command-N on the keyboard.
The Password Assistant has an option to change the type of password, such as Letters & Numbers, Numbers Only, Random, and FIPS-181 compliant. It also rates the password strength against cracking, depending on how many characters it contains.
The Random option creates passwords that include letters, numbers, and special characters. FIPS-181 is a standard for an automated password generation algorithm that randomly creates pronounceable syllables as passwords. One example of this that the Password Assistant generated is "urnefloucmowshanaejthockimidelv."
Creating secure notes
Keychain Access creates and stores secure notes, just like other apps such as Apple Notes. These are created on their own, as opposed to the password notes that debuted in iOS 15.4.
Clicking the Secure Notes tab reveals this option. Next, click on the square icon with a pencil to create one. Another option is to press Shift-Command-N on the keyboard.
These are basic, plain text notes that don't offer formatting or customization. Each note is composed of a title and body of text, nothing more. They are not synced to iCloud Keychain and won't appear on other Apple devices.
Import, export, and copy
Some keychain items, such as security keys and certificates, can be imported and exported from one Mac to another. Passwords and secure notes cannot be exported from Keychain Access, however.
To import items:
- Click on File > Import Items in the Mac menu bar, or press Shift-Command-I.
- Find the file of items at its location within Finder.
- Choose the destination keychain and click Open.
To export items:
- Select the keychain items for export.
- Click on File > Export Items in the menu bar or press Shift-Command-E. If the Export Items menu is dimmed, Keychain Access can't export at least one item.
- Choose a location in Finder to save the file, then click the File Format menu to choose a file type.
- Click Save and enter a password, which is required to import keychain items on a different Mac.
Setup Assistant automatically transfers keychains to Keychain Access on a new Mac, and the keychain files in Finder can also be copied and pasted over without Setup Assistant.
To copy keychains:
- Open Finder, press and hold the Option key, and click on Go > Library in the menu bar.
- Inside the Keychains folder, find the appropriate files, typically ending with .keychain-db. Don't transfer encrypted folders with file names containing a bunch of numbers.
- Press Command-C and Command-V to copy and paste the files onto an external storage device.
Advanced features of Keychain Access
Creating passwords and secure notes and importing/exporting items are all essential features of Keychain Access. The app also has an advanced feature called Certificate Assistant.
Certificates
Keychain Access creates self-signed certificates, Certificate Authorities (CA), request a certificate from an existing CA, and view/evaluate certificates.
A Certificate Authority is an entity that manages digital certificates, which is a document that validates cryptographic public keys associated with another entity. These entities can be email addresses, websites, companies, and individuals.
In the menu bar, click on Keychain Access once the app has been opened, then select Certificate Assistant. Each option has onscreen instructions. For example, creating a CA involves choosing a name, selecting the identity type, picking a user certificate, and emailing it from the user's email address.
These features make Keychain Access a strong competitor to third-party password managers. In addition, it's easy to use, and best of all, it's free and already built into macOS.