safari wants to access key in your keychain

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Safari keeps asking permission to access the keychain

Normally when I save a password in Safari it will get added to my login keychain without fuss (assuming that it is already unlocked). But after I set a a master password the default keychain was changed to FileVaultMaster . When I set it back to login Safari then started to always ask for permission to access the keychain.

To get it back to the default behavior should I chose always allow or is there something else I should do?

• Same thing happened to me for Mail.app. The only way I got it to remember my passwords was to reinstall Mac OS (I reinstalled for different reasons, but it also solved the problem). –  alex Commented Aug 26, 2009 at 19:04

6 Answers 6

Yes, if you press Always Allow would put it back to it's default behaviour otherwise it will ask you to access the Keychain each time. By pressing Allow you tell the security system to allow Safari to access it once and only once, if you say Always Allow you say it can access it from now on until it is updated again. (Developers have an option to avoid this issue by signing their applications)

• Though for some reason (that I don't understand) signed applications are by default allowed incoming connections by the application firewall, I don't think they are by default granted access to the keychain as well? –  Arjan Commented Oct 6, 2009 at 12:31
• @Arjan: One of the main advantages for developers to sign their applications is that when a new version is released it won't ask for permission to access the keychain again as it still is "signed" and trusted as that application. –  Chealion Commented Oct 6, 2009 at 16:21
• Ah, I missed that part about "until it is updated again". That's true, though all Apple applications are signed, so one should indeed not get such prompt, not even if Safari is updated. But I guess you know that too. :-) (By the way, if you happen to know what might fail if the signature is messed up, then please read my superuser.com/questions/47504/… ) –  Arjan Commented Oct 6, 2009 at 16:46

You have two potential problems. The first is that your default keychain is no longer set to "login". Open up Keychain Access ( /Applications/Utilities/Keychain Access.app ), select the login keychain, and choose File » Make Keychain "login" Default .

The second potential problem is a damaged keychain. In Keychain Access, still with the login keychain selected, choose Keychain Access » Keychain First Aid . Enter your password and hit repair.

• I had already done both of those before I posted the question. In fact I mentioned doing the fist part in the question. –  GameFreak Commented Aug 26, 2009 at 23:11
• I, however, was really helped by the second suggestion. Thanks! –  Chris R Commented Oct 1, 2010 at 22:54

Though given your description I doubt it's the case, but maybe the digital signature of Safari itself is broken? You can test it using:

...which should give you:

(And if indeed it's broken, then see If Mac code signing is tampered with, what might fail? )

• The signature is valid. –  GameFreak Commented Oct 6, 2009 at 11:55

I've had about the same problem and it has everything to do with Code Signing. There are complex ways to change the Safari code signing, so take the easy way: just put you Safari application in the trash can and copy the complete (working) Safari application from another Mac (with the same version number) to yours.

Keychain Access will ask you for permission. Choose "always" and you're problem is fixed!

It did the trick for me after Googling and troubleshooting for hours...

I've had this problem with my Aunt's 2010 iMac; she forgot the master password and I performed a reset using the install disk. However, since then she has been plagued by the same issue detailed above, repeated requests for password. I finally had a chance to go to the Apple Genius bar having exhausted all discussion forums to no avail and was given an as yet unproven solution. The guy says he gets this problem all the time and he was pretty confident it would work.

As follows:

• Close all programs except the Finder and go to Home/Library (may also be Username/Library)
• Find the Keychains folder in here; delete it
• Log out / Restart immediately
• Keychain will recreate the folder and you should be good to go

I will update this post on attempting this fix; it sounds logical though. Anyone who has success, feel free to chime in. I should also point out that this will obviously wipe any application/web passwords you already have saved but I don't think that should be an issue for most people.

Update: It worked, so far so good! Can't believe the solution was so simple!

It may have also become out sync with your login account. By default regular keychain first aid won't fix it. To make it check and fix it, open Keychain Access.app, click the Keychain Access menu and open preferences. Hit the 'First Aid' tab and tick the 'Synchronise login keychain password with account' box.

Then run keychain first aid again.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged macos mac security safari keychain ..

• Featured on Meta
• Upcoming sign-up experiments related to tags

Hot Network Questions

• How can I take apart a bookshelf?
• Is this professor being unnecessarily harsh or did I actually make a mistake?
• How to Draw Gabriel's Horn
• how to solve improper integral
• A 90s (maybe) made-for-TV movie (maybe) about a group of trainees on a spaceship. There is some kind of emergency and all experienced officers die
• What kind of sequence is between an arithmetic and geometric sequence?
• Is it better to show fake sympathy to maintain a good atmosphere?
• Sed command listing all lines between pattern including the final line
• Why can Ethernet NICs bridge to VirtualBox and most Wi-Fi NICs don't?
• Why is polling data for Northern Ireland so differently displayed on national polling sites?
• Homebrew spell to improve familiar link before combat
• Brakes not going back on their own
• How to use IX as a return stack?
• Did James Madison say or write that the 10 Commandments are critical to the US nation?
• Weird behavior by car insurance - is this legit?
• Approach to software testing with docker
• What's the meaning of "nai gar"?
• Is it legal to discriminate on marital status for car insurance/pensions etc.?
• How to turn a desert into a fertile farmland with engineering?
• Idiom for a situation where a problem has two simultaneous but unrelated causes?
• Can a planet have a warm, tropical climate both at the poles and at the equator?
• Do IDE data lines need pull-up resistors?
• Isn't it problematic to look at the data to decide to use a parametric vs. non-parametric test?
• What exactly is beef bone extract, beef extract, beef fat (all powdered form) and where can I find it?

Support Portal

How can we help you today, resolve '(app name) wants to access key "(key name)" in your keychain' alert message print.

Modified on: Sun, Dec 13, 2020 at 6:29 PM

You may be prompted with messages such as 'codesign wants to access key "access" in your keychain'. To resolve this, you should set the related key's Keychain Access Control setting to "Always Allow":

• Open Keychain Access in Applications > Utilities > Keychain Access
• Highlight "Login" Keychain
• Find the key or keys you wish to allow your application to access
• Right-click the key item, and select "Get Info"
• Click on the "Access Control" tab
• Select "Allow all application to access this item" or "Always Allow"
• Press "Save Changes" to confirm the change
• Enter your password you use to login to the server to authenticate

This should allow your application to always allow access to the selected  key. Repeat the above steps on all keys you wish to always allow access.

Reference Video: How to allow applications to access keychain in Mac® OS X™  

Did you find it helpful? Yes No

Related Articles

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

MacOS InTune-Enrolled Device. Keychain Access to 'Microsoft Workplace Join Key'

I have a MacBook with Monterey OS that is enrolled through Intune. For some reason when the user attempts to access SharePoint online through Google Chrome she receives a prompt "Google Chrome wants to sign using key "Microsoft Workplace Join Key" in your keychain. Even if she selects Always Allow, she gets prompted again.

Microsoft Intune Enrollment Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities. Enrollment: The process of requesting, receiving, and installing a certificate. 1,299 questions Sign in to follow

@Gary Leung Thanks for posting in our Q&A.

Honestly, I haven't met this issue. If possible, it is suggested to try to access SharePoint online through Google Chrome on an unenrolled MacOS device and check if this issue still exists.

If this issue only occur in the enrolled MacOS, it is suggested to create an online support ticket to get more accurate help. Here is the support link: https://learn.microsoft.com/en-us/mem/get-support

Thanks for your understanding.

I had the same issue and still have no idea why. I was able to resolve by going to the key chain utility and finding the cert and selecting allow all applications to access item.

This happened in my environment when I created a persistent session conditional access policy and set it to report-only mode .

Disabling the policy resolved the issue.

This help out with my issue. same think CA policy was in report-only. Remove Macs and solve the issue for now.

It comes from the keychain ACL for Microsoft Workplace Joinkey. By default, all microsoft apps can access it (com.microsoft and Microsoft portal). Obviously here Chrome, is used to access to Sharepoint. It might be the same for other apps used to enter a microsoft site.

you can add Chrome to the keychain ACL.

I have added chrome and firefox but still getting prompts, can anyone guide me on this

@Anish Bhowmick Were you able to resolve this issue? Facing the same issue on my Mac.

‘Accountsd Wants To Use the Login Keychain Virus’: Key Tips

• Accountsd is the Accounts daemon that is a part of the Accounts framework. It helps with log in capabilities.
• While the issue can be caused by a virus, the problem is likely easy to fix.
• You can enable your iCloud Keychain via Apple Menu > System Settings > Apple ID > iCloud > Passwords & Keychain .

Are you seeing an error along the lines of “ Accountsd wants to use the login keychain “? While it’s easy to assume that it’s some type of virus, the more likely explanation is that something is going on with your passwords and iCloud Keychain. Considering Accountsd helps with starting login credentials for apps and other services on your Mac, it needs access to your keychain to function properly. Your keychain is the one that manages your passwords, which is where we’ll be looking.

Let’s explore the solutions to this problem and get your Accounts back on track.

If you’re encountering issues with viruses and malware on your Mac, consider trying a reliable antivirus like Intego. It’s one of the most effective tools that can help you protect your system and effortlessly regain control over your Mac’s security.

➡️ Try Intego AV here

How To Stop Accountsd From Asking To Use Login Keychain

1. sync login password and keychain password.

Time needed:  3 minutes

If you’re receiving a “Accountsd wants to use keychain” error message, the most likely explanation is that the password for your Mac and the login password for your keychain are not synced. Re-syncing the two may solve your problem. Follow these steps:

Should things go well, your passwords will sync and you will no longer receive the message.

2. Disable Keychain Auto-Lock

It may be that you’re receiving this message due to iCloud Keychain locking automatically. You can disable this so that you no longer need to enter your password.

• Open Keychain Access .

• Uncheck Lock after sleeping and Lock after. . .

3. Reset Default Local Keychain

This can be useful if you continue to receive a message from a browser window asking for login keychain use. It’s possible there is a bug within the keychain itself. Performing a reset on your keychain may do the trick.

• First, launch Keychain Access .

4. Create a New Keychain

If you continue having issues with your existing keychain, you may want to simply create a new one.

• From the menu bar, select Go > Go to Folder . You can also press Shift + Command + G .

• Copy the Keychains folder and paste it to your desktop.
• Give the folder a new name.
• Reset the default local Keychain —the steps are in solution three.

• You can import items from the old keychain to your new keychain by right-clicking the old keychain and selecting Copy [item name] . Paste it within the main window by right-clicking or ctrl-clicking and selecting Paste [item name] .

While this can be a frustrating situation to be in, there are solutions available that would hopefully work for you. You may also want to know how to clear a virus from your Mac in 2024 .

Leave a Reply Cancel reply

You must be logged in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Nick deCourville

• Apple Watch
• Accessories
• Digital Magazine – Subscribe
• Digital Magazine – Info
• Smart Answers
• Amazon Prime Day
• Apple Watch 2024
• 11th-gen iPad
• New AirPods
• Best Mac antivirus
• Best Mac VPN

When you purchase through links in our articles, we may earn a small commission. This doesn't affect our editorial independence .

How to use Keychain Access to view and manage passwords on your Mac

Hidden inside the Mac Utilities folder, Keychain Access provides access to the passwords and other private information saved through your Mac’s keychain.

If you think managing your passwords on the Mac is limited to Safari, you’ve never explored the Keychain Access utility. With Keychain Access, you can review, change, delete, and create passwords for your online accounts and examine security keys and certificates and add password-protected notes. 

First, you’ll need to make sure that iCloud Keychain is enabled. Open System Preferences, click the icon for Apple ID, and click the checkbox for Keychain . Then when you browse to a password-protected website, iCloud Keychain will ask if you want to save the password. Click Save Password and it’ll be securely stored in your Keychain.

As you visit websites, you’ll automatically accumulate logins and passwords, which you can view by clicking the Go menu in the Finder, selecting Utilities, and then double-clicking the icon for Keychain Access. The tool starts by showing you all saved Keychain items, including passwords, certificates, and keys. Click the tab for Passwords , then in the left pane, select the option for iCloud .

The list will most likely be sorted by name in ascending order, but you can change that by clicking any of the other column headings. For example, to see your most recent saved accounts, click the heading for Date Modified and then click the arrow to display the list with the most recent items at the top.

To edit a user name or password, double-click a specific entry. A popup window displays the attributes for that account, including the website name, the account username, and the URL. Click the checkbox for Show password. You’re prompted to enter your Mac’s password. Enter it, and the password for the selected account appears in plain text.

Once unlocked, you’ll be able to see your existing passwords and enter new ones like in a third-party password manager. Click the icon at the top for Create a new Keychain item. In the popup window, enter the Keychain item name or the URL if this is a website account. Type the username and then enter the password. Keychain Access displays a graph showing the strength of the password.

You can also edit passwords if you feel one is too weak or simple (or just want to practice good password maintenance). To change it, type the new password in the Show password field and click Save Changes . Beyond changing the password, you can change other attributes, including the website name, your account name, and the URL. Again, click Save Changes after you’ve changed any attribute.

Switch over to the Secure Notes tab and you can store things that aren’t passwords, such as security questions or recovery keys that you won’t need often. It’s like the way Locked notes work in the Notes app, but you don’t need to set a specific password for each one. Your Mac’s login password locks them all down.

Author: Lance Whitney

Lance Whitney is a freelance technology writer with a background in IT. He's written for a host of sites and publications, including TechRepublic, PCMag, Macworld, AskWoody, Time, and AARP Magazine. He’s also the author of two books for Wiley & Sons: "Windows 8: Five Minutes at a Time" and "Teach Yourself Visually LinkedIn."

Recent stories by Lance Whitney:

• 10 simple Mac tweaks to help you work smarter and safer in 2022
• MacKeeper review: A convenient security suite saddled with a shady past
• How to uncover vital Mac details with the System Information app

macOS User Guide

• What’s in the menu bar?
• Work on the desktop
• Search with Spotlight
• Quickly change settings
• Get notifications
• Open apps from the Dock
• Organize your files in the Finder
• Connect to the internet
• Browse the web
• Preview a file
• Take a screenshot
• Change your display’s brightness
• Adjust the volume
• Use trackpad and mouse gestures
• Use Touch ID
• Print documents
• Keyboard shortcuts
• Apps on your Mac
• Work with app windows
• Use apps in full screen
• Use apps in Split View
• Use Stage Manager
• Get apps from the App Store
• Install and reinstall apps from the App Store
• Install and uninstall other apps
• Create and work with documents
• Open documents
• Mark up files
• Combine files into a PDF
• Organize files on your desktop
• Organize files with folders
• Tag files and folders
• Back up files
• Restore files
• Change System Settings
• Choose your desktop wallpaper
• Add and customize widgets
• Use a screen saver
• Add a user or group
• Add your email and other accounts
• Automate tasks with Shortcuts
• Create Memoji
• Change your login picture
• Change the system language
• Make text and other items on the screen bigger
• Set up a Focus to stay on task
• Set up Screen Time for yourself
• Use Dictation
• Send emails
• Send text messages
• Make a FaceTime video call
• Edit photos and videos
• Use Live Text to interact with text in a photo
• Start a Quick Note
• Get directions
• Work across devices using Continuity
• Use iPhone as a webcam
• Use iPhone with Desk View
• Stream audio and video with AirPlay
• Use one keyboard and mouse to control Mac and iPad
• Hand off between devices
• Unlock your Mac with Apple Watch
• Make and receive phone calls on your Mac
• Sync music, books, and more between devices
• Manage Apple ID settings
• Set your Apple ID picture
• What is iCloud?
• What is iCloud+?
• Store files in iCloud Drive
• Share and collaborate on files and folders
• Manage iCloud storage
• Use iCloud Photos
• What is Family Sharing?
• Set up Family Sharing
• Set up Screen Time for a child
• Share purchases with your family
• Watch and listen together with SharePlay
• Share a Photo Library
• Collaborate on projects
• Find content shared with you
• Find your family and friends
• Play games with your friends
• Listen to podcasts
• Watch TV shows and movies
• Read and listen to books
• Read the news
• Track stocks and the market
• Apple Music
• Apple Arcade
• Apple News+
• Podcast shows and channels
• Manage subscriptions in the App Store
• View Apple family subscriptions
• Guard your privacy
• Use Mail Privacy Protection
• Control access to your camera
• Use Sign in with Apple for apps and websites
• Set up your Mac to be secure
• Keep your data safe
• Create a passkey
• Understand passwords
• Keep your Apple ID secure
• Find a missing device
• Get started with accessibility features
• Connect an external display
• Use the built-in camera
• Connect a Bluetooth device
• Use AirPods with your Mac
• Optimize your Mac battery life
• Optimize storage space
• Burn CDs and DVDs
• Control accessories in your home
• Use Windows on your Mac
• Resources for your Mac
• Resources for your Apple devices

Manage passwords using keychains on Mac

macOS uses keychains to help you keep track of and protect the passwords, account numbers, and other confidential information you use every day on your Mac computers and iOS and iPadOS devices.

You can use the Keychain Access app on your Mac to view and manage your keychains. When you use iCloud Keychain, you can keep your passwords and other secure information updated across your devices.

What is a keychain?

A keychain is an encrypted container that securely stores your account names and passwords for your Mac, apps, servers, and websites, and confidential information, such as credit card numbers or bank account PIN numbers.

When you access a website, email account, network server, or other password-protected item, you can choose to save the password in your keychain so you don’t have to remember or enter the password each time.

Each user on a Mac has a login keychain. The password for your login keychain matches the password you use to log in to your Mac. If an administrator on your Mac resets your login password, you need to reset your login keychain password.

Keychain Access

You use the Keychain Access app on your Mac to view and manage your login and other keychains, and also the items securely stored in the keychains—for example, keys, certificates, passwords, account information, and notes. If you forget a password, you can find it in Keychain Access. Learn more about Keychain Access .

iCloud Keychain

If you use iCloud, you can have iCloud Keychain securely store the website login information and credit card information you use with AutoFill in Safari, and your Wi-Fi network information. iCloud Keychain automatically keeps that information up to date across all your Mac computers and iOS and iPadOS devices. iCloud Keychain also stores login information for the accounts you use in Mail, Contacts, Calendar, and Messages so it’s available on all your devices. Learn more about iCloud Keychain .

Tip: When you use passwords and credit cards online, you can let Safari store them in your keychain and automatically fill them in for you. If you also use iCloud Keychain on your Mac and iOS and iPadOS devices, Safari can fill in the stored information on any of your devices. See AutoFill credit card info in Safari .

• Election 2024
• Entertainment
• Newsletters
• Photography
• Personal Finance
• AP Investigations
• AP Buyline Personal Finance
• AP Buyline Shopping
• Press Releases
• Israel-Hamas War
• Russia-Ukraine War
• Global elections
• Asia Pacific
• Latin America
• Middle East
• Election Results
• Delegate Tracker
• AP & Elections
• Auto Racing
• 2024 Paris Olympic Games
• Movie reviews
• Book reviews
• Financial Markets
• Business Highlights
• Financial wellness
• Artificial Intelligence
• Social Media

One Tech Tip: What to do when you have too many passwords to remember

FILE - A visitor looks at his phone at the Mobile World Congress 2024 in Barcelona, Spain, Feb. 27, 2024. According to some un-scientific studies, the average person has hundreds of passwords to their name. (AP Photo/Pau Venteo, File)

• Copy Link copied

LONDON (AP) — Everyone has too many passwords. The credentials we need to remember to navigate online life keep multiplying, not just for frequently used email, banking, social media, Netflix and Spotify logins, but also, say, the little-known e-commerce site you’re not sure you’ll buy from again.

According to some unscientific studies, the average person has hundreds of passwords. That’s a lot to keep track of. You might be tempted to recycle them, but it’s one of the bad password habits that cybersecurity experts warn against.

Instead, use a password manager. They’ve been around for a while and can be useful tools to keep on top of your credentials. But they can also be intimidating for those who aren’t tech-savvy.

Here’s a guide on how to use them:

Why should I use a password manager?

Many people just use the same password for all their online accounts, mainly because it’s the most convenient thing to do.

If your credentials are caught in a cyber breach, the hackers could try using the stolen passwords to get into other services.

Other no-nos: Using easily guessed information like birthdays, names of family members, favorite sports teams, or simple phrases like abc123.

The best strategy, experts say, is to use a different password for each account, the longer and more complex the better, backed up by two-factor authentication where possible.

But it’s impossible to remember all those various codes. So let a password manager do the job.

How does a password manager work?

The basic concept is simple: Your passwords are stored securely in a digital vault. When you need to access an online service, it auto-fills the login and password fields. The only thing you’ll need to remember is a single password to open the password manager.

Most password managers have a smartphone app that works with mobile browsers and other apps and can be opened with a thumbprint or facial ID scan. If you’re using a computer, you can also log in to your password vault through a browser plug-in or by going to a website.

A good password manager should also be able to generate complex passwords with letters, numbers and symbols, for whenever you’re setting up a new account. And it should also recognize that you’re signing into an online service for the first time and ask if you want to save the credentials you’ve entered.

Password managers can also help you avoid falling prey to phishing scams. Those deceptive emails from fraudsters trying to trick you into clicking a link to a phony website designed to harvest login details? A password manager won’t automatically fill in the details if the web address doesn’t match the one linked to the saved password.

They don’t just store passwords. You can save bank and credit card PINs, for example. Many also support passkeys, a new technology that companies like Google have been rolling out as a safer alternative to passwords.

How do I choose the best one to use?

There are dozens of password managers on the market, so it can be hard to figure out what’s best for you.

Better-known platforms include 1Password, Bitwarden, Dashlane, Bitdefender, Nordpass, Keeper and Keepass.

Check out the many tech review websites that have conducted in-depth testing and compiled rankings of the most popular services. If you want to nerd out, users on Reddit have drawn up spreadsheets with side-by-side comparisons. Britain’s National Cyber Security Centre has a buyer’s guide .

Most services have free and paid versions. The paid options typically cost a few dollars a month while the free offerings tend to have restrictions like allowing only one device to be logged in at a time or limiting the number of passwords you can store.

If cost is a factor, Bitwarden’s free service gets top marks from reviewers, though it’s less polished and not as immediately intuitive to use.

A good password manager will work across different devices and platforms, with apps for Windows and Mac computers and iOs and Android devices, and plugins for browsers like Chrome, Safari, Firefox, Edge, Brave and Opera

There are also basic browser-based password managers as well as Apple’s iCloud Keychain for Macs and iOS devices. The iPhone maker is aiming more directly at the market with a new Passwords app that will roll out in the fall.

But are they secure?

Cybersecurity worries around password managers flared up after one service, Lastpass, reported a security breach, leading experts to recommend avoiding it.

Don’t let that put you off. For one thing, experts advise that saving credentials in a password manager is much safer than letting, for example, e-commerce sites do it.

Good password managers use strong encryption that prevents anyone else from seeing your data.

Many services use AES-256 encryption, which is considered the most secure type “and impossible to be brute-forced by today’s technology,” said Pieter Arntz, senior malware intelligence researcher at cybersecurity company Malwarebytes.

Strong encryption “ensures that even if your computer or your password manager is compromised, the attacker cannot simply read all your passwords, because they are stored encoded and the attacker will need the master password to decode them,” Arntz said.

A good password manager should also hold regular security audits and inform users quickly if there’s a breach.

Many services store data in the cloud. If you’re worried about that, some let you store them only on your local device, but it can be a complicated process.

Is there a tech challenge you need help figuring out? Write to us at [email protected] with your questions.

The Eclectic Light Company

Does sequoia’s password app change keychains.

Way back in the days of Classic Mac OS, Apple decided to provide system-level support for the secure storage of passwords, making it far easier to manage and use unguessable passwords by storing them in a secure database, the keychain. From the moment you log into your Mac until you log out again (and, for some services, even when there’s no user logged in at all), it depends on keychains.

Traditionally these have been kept as files in Keychains folders in each of your Mac’s Library folders, where they store, access and manage secrets, including passwords for various purposes, security certificates, private keys, and secure notes. The master is the keychain opened automatically at login, the login keychain.

In OS X 10.9, iCloud keychains were introduced to Macs from iOS devices. Those have always been different; for a start, while Macs have multiple keychains, iOS only has one, and from the outset that single keychain is designed to be stored in iCloud and protected by the Secure Enclave. Apple refers to these two types as file-based and Data Protection keychains.

login keychain

For each user, their default personal file-based keychain is the login keychain, located in ~/Library/Keychains/login.keychain-db. This is unlocked automatically when the user logs in as it has the same password as that user account. It’s here that each user should store their certificates, secure notes, etc. for general use on that Mac.

Although kept unlocked, readable and writeable while the user is logged in, that doesn’t guarantee access to its contents. If an app makes a call to the macOS security system to retrieve a stored password for its use, that system determines whether the app is trusted to access that information, and whether that keychain is locked. Assuming the password is stored there, the app is trusted, and the keychain is unlocked, then the password is retrieved and passed back to the app. If the app isn’t trusted or the keychain is locked, then the security system, not the app, displays a distinctive standard dialog asking for the password to that keychain to authenticate before it will provide the password to the app.

The user cannot determine which apps are trusted as far as the security system is concerned. Those are determined by the security system, the specific access it grants to an app, and to individual items in that user’s keychain. At its most restrictive, the system can limit all other apps from accessing a particular secret in the keychain, but specific secrets can also be shared across several different apps.

System keychains

For the system, there are two vital groups of keychains:

• in /System/Library/Keychains, in the SSV, are SystemRootCertificates and others providing the set of root security certificates for that version of macOS;
• in /Library/Keychains is the System keychain and others providing certificates and passwords required for all users, including those to gain access to that Mac’s Wi-Fi connections.

Custom keychains

Apps and users are also able to create their own keychains. Among those I have on my Macs are shared keychains with Parallels virtual machines, several for Microsoft apps, and some for Adobe’s products. I also tend to make a copy of the login keychain from my last Mac and copy it across under another name to ~/Library/Keychains, so that if I happen to have left any important certificates or passwords behind when migrating to a new Mac, I should be able to find them there.

Although these additional keychains may be included in the keychain search path, when macOS is looking for a secret kept in a keychain, unlike the login keychain they’re normally kept locked. If I or an app want access to them, I’ll be prompted for that keychain’s password. For old login keychains, that’s just my old login password from that Mac, of course.

One of the biggest security problems with file-based keychains is that they’re relatively easy for malware to exfiltrate, and given suitably powerful hardware to brute-force access to their contents.

Data Protection keychain

Since OS X 10.9, Macs have also had one and only one Data Protection keychain that’s accessed using a different API. If you share your keychain in iCloud, this is the local copy of that shared keychain and is known as iCloud Keychain; if you don’t share it in iCloud, then it’s known as Local Items instead. The local copy of this is normally stored in ~/Library/Keychains/[UUID]/keychain-2.db, where the UUID is that assigned to that Mac.

The Data Protection keychain stores all the standard types of secret, including internet and other passwords, certificates, keys and passkeys, but not normally secure notes. Prior to macOS 11, it only synchronised internet passwords using iCloud, but from Big Sur onwards it synchronises all its content, including passkeys, which have now become first class citizens. Unlike file-based keychains, secrets in the Data Protection keychain can be protected by the Secure Enclave, and can therefore be protected by biometrics including Touch ID, and Face ID on iOS and iPadOS. Hence they’re required for passkeys, which don’t appear to be supported by traditional file-based keychains.

Prior to Sequoia, the best way to work with passwords and passkeys stored in a Data Protection keychain has been the Passwords section of System Settings, or its equivalent in Safari’s Settings. In macOS Sequoia, those are due to be replaced by a new Passwords app, looking much like one of the better third-party password managers.

The bundled tool for working with file-based keychains is the Keychain Access app, together with some of the features of the command tool security . As it appears unlikely that the new Passwords app will be able to work with the login and other file-based keychains, Sequoia is expected to retain Keychain Access, although you might find it moved away from its current location in /Applications/Utilities, into hiding.

Currently macOS still supports keychains in their original Classic Mac OS format, and file-based keychains remain in wide use. As they can never provide the same level of security as Data Protection keychains, and can’t benefit from biometrics or the Secure Enclave, Apple is moving on to Data Protection keychains as much as possible. The Passwords app looks to be a good step in that direction, particularly for those who share their Data Protection keychain in iCloud.

Apple still has one significant problem to solve: code such as LaunchDaemons and LaunchAgents that don’t run in a user context, but through launchd , can’t currently access a Data Protection keychain, and must rely on file-based keychains. Traditional keychains aren’t going away yet.

Apple TN3137 : On Mac keychain APIs and implementations Apple Keychain Services

Share this:

Protection keychain can be protected by the Secure Enclave, and can therefore be protected by biometrics including Touch ID, and Face ID on iOS and iPadOS.

What about M* or T2 Macs with Touch ID capabilities?

Like Liked by 1 person

Yes, that’s what I wrote. Touch ID applies to those Macs and devices that support it, while Face ID is only available on certain iOS and iPadOS devices. Howard.

This change in location of key chains has me a bit worried if -for instance, the caches are accidentally erased. That has happened and require knowing where the lost password is located.

” Sequoia is expected to retain Keychain Access, although you might find it moved away from its current location in /Applications/Utilities, into hiding. “

How would you then locate a password if it will be in a hidden different location?

There’s no indication that any keychains are being relocated, however the Keychain Access *app* looks likely to move from its current location in /Applications/Utilities. That’s standard Apple practice in this situation. Only in exceptional circumstances should users ever have to know the location of keychains anyway. Currently, you edit the DP keychain using the Passwords settings or its equivalent in Safari’s Settings, and you edit the file-based keychains using Keychain Access. So long as those apps, and the apps that use keychains, know how to access them, that’s all that should be important to the user. While macOS might cache keychain contents (I very much doubt that it does, though), caches are intended to emptied. It’s the original keychains that are important, and should remain perfectly good in Sequoia, or we’re all in deep trouble! Howard.

So we now have 2 apps to use instead of one? And I have to make another fork like for Settings/Preferences?

I haven’t looked at Sequoia, yet, because my internet connection is crap at the moment.

Going from what Apple has shown, there should be two apps, although few will need to use anything other than the new Passwords app. The Passwords app is based on what is currently in Password settings, and Safari settings, and is the one that gives access to all the commonly used passwords, passkeys, etc., in the DP keychain. Although Keychain Access has given access to those, it’s not a patch on a proper app, and from the looks of it, the Passwords app should be in the same league as (e.g) the 1Password app, only native, not Electron. For those who still need access to their login and other file-based keychains, I don’t see Keychain Access going away, but it’s most likely to be hidden away from the casual user. I still use that, e.g. for my Apple dev certificates, which I don’t think can go in the DP keychain. If the Passwords app proves as good as it looks, the great majority of users will only ever use that, and I don’t think Apple intends giving that access to file-based keychains, which would make it really messy and confusing. Howard.

This presumed slow deprecation of the file-based keychain stores has me wondering what the correct means of migrating that data to Data Protection keychains.

There’s a lot of cruft that’s built up in there as my accounts have migrated to new machines over twenty years.

The simplest way is to copy and paste usernames and passwords from Keychain Access to the new Passwords app. As file-based keychains can’t store passkeys, which would be more complex, it’s a bit tedious but straightforward. There’s no rush to do that, and it may be simpler to let them migrate over time. Howard.

That’s mostly the approach I’ll be taking. Though the entries I mostly think of are all the private keys and credentials for objects like NAS filers or certificate identities, etc.

Private keys and credentials are a bit different, and I don’t see that they should migrate to any password manager. Maybe in the fullness of time they might. Howard.

Thank you very much for spending time on this topic. I still have some curiosities. If I understand, The keychains data protection continues to be managed via an encrypted database but the key does not correspond to the login password but is managed via an enclave (unlocked by touch id). I was wondering what happens when you migrate a profile to new hardware (via migration assistant), will the uuid change and a new key will be generated? Since the database is still stored in a local file, what prevents an attack similar to that of the “classic” keychain in the event of exfiltration?

AFAIK the big difference here is that a file-based keychain is encrypted as a whole, so brute-force attack is feasible, and will then reveal the entire contents. Individual items like passkeys are encrypted individually in the DP keychain, so are much harder to break. Howard.

What is better with working with passwords in the “Passwords section of System Settings” than Keychain? I have maybe used that section once or if it was in Safari. In Keychain I know I will find all passwords (which I know I cannot do at least in Safari) and can conveniently sort them by date which is normally the most important thing apart from seeing the password.

Wait until you use the new app, which also gives access to passkeys. Keychain Utility is primitive and far less capable when working with DP keychains. Howard

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Begin typing your search above and press return to search. Press Esc to cancel.

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

security wants to access key Chrome Safe Storage in your keychain.

Lately, I've been getting the popup message:

security wants to access key "Chrome Safe Storage" in your keychain.

To allow this, enter the "login" keychain password.

Underneath that is a password field and the buttons Always Allow, Deny and Allow

This appears to be a macOS message, but it seems tied to a certain application:, Wondershare AllMyTube. The pop-up stays on my screen the whole time I'm using my Mac, but when I quit AllMyTube and restart, the message does not reappear. The password that goes into the password field does not appear to be my system password.

I do not know how to deal with this or if this might be a security risk.

I'm also sending out this question to Wondershare.

Mac mini, macOS 10.15

Posted on Mar 14, 2022 8:08 AM

Posted on Mar 18, 2022 2:30 PM

UPDATE: When I simply clicked the "Deny" button that made the warning go away and the software resumed working as usual.

Similar questions

• Flood of "wants to use the login keychain" messages Every once in a while my MacBook Pro freezes up and I get a sudden flood of messages telling me several processes want to use the login keychain, all at once. There's no way to stop it, I have to shut down when it happens. I've scanned my device for viruses (I use BitDefender) and it says I'm clean, but who knows for sure. Any advice would be appreciated, thank you very much! 2004 1
• Why does microsoft sharepoint keep asking for keychain access Each time I start up my Mac and log in, a window pops up (about 100 times) saying "Microsoft SharePoint wants to use your confidential information stored in "OneDrive..." (see attached). None of the buttons helps (nor does entering my login password and then clicking "allow" or "always allow") - the window keeps popping right back up. Only clicking "deny" a hundred times finally gets rid of it. I don't even WANT to use Microsoft SharePoint - but I also cannot eliminate it from the login items - everytime I click the "-" sign to get rid of it and then restart, it is right back there (with the "hide" button checked). Anybody have an idea how to make this go away? (This happens without starting ANY Microsoft 365 app - just logging into my MacBook Air running Monterrey 12.6.7) 3824 2
• Mac keeps asking for keychain password every time I log in When I log into my macbook, I always get a message asking for my keychain password and it is becoming infuriating to deal with. I've tried literally everything under the sun but nothing seems to be working. BTW. I'm on Mojave Thanks 1083 1

Loading page content

Page content loaded

Mar 18, 2022 2:30 PM in response to Timothy Arends1

Mar 15, 2022 9:07 AM in response to Timothy Arends1

Hi Timothy,

We have a link that might be helpful If your Mac keeps asking for your keychain password . See if the steps below help to clear this up:

"Your  keychain  may be locked automatically if your computer has been inactive for a period of time or your user password and keychain password are out of sync.You can set a length of time that Keychain Access waits before automatically requiring you to enter your password again.

• Choose Edit > Change Settings for Keychain “login.”
• Select the “Lock after” checkbox, then enter a number of minutes.
• If you want to require a password each time the computer goes to sleep, select the “Lock when sleeping” checkbox.
• Click Save."

Have a great day!