Snow Leopard keychain and password administration 101

Erik Eckel goes over the basics of troubleshooting problems with Snow Leopard's keychain and resetting account passwords.

Erik Eckel goes over the basics of troubleshooting problems with Snow Leopard's keychain and resetting account passwords.


Keychain corruption and errors are among a Mac enterprise administrator's more frustrating issues. Unfortunately, many Mac administrators are more familiar with Windows security processes. Like many, I've had to learn Mac Keychain ins and outs the hard way: under fire. Over the last month, I've had to  troubleshoot Macs for which the system administrator password was no longer known or in which specific user account's keychains simple no longer worked properly. Here are some Snow Leopard Keychain fundamentals that may well help you, should you find yourself in the same situations.

The Mac Keychain

The Mac OS X Keychain, of course, stores passwords, security certificate information and even Web-based form data within encrypted files. Keychain information is stored in four different locations, depending upon the type of data being stored:

  • The Users\%username%\Library\Keychain\login.keychain maintains a user's local system user account login password.
  • The Users\%username%\Library\Keychain\FileVaultMaster.keychain contains the master FileVault password for the system.
  • The Users\%username%\Library\Keychain\System.keychain holds security information for numerous resources, including wireless network passwords.
  • The Users\%username%\System\Library\Keychains directory stores root certificates.

Keychain access

Administrators should employ the Keychain Access utility to troubleshoot and correct keychain errors. The utility is found within the Application directory's Utilities folder. Using the provided console, administrators can view and edit problematic keychain entries. Note that the administrator must be logged in to the Mac using an account possessing administrative rights to make changes to keychain data.

Troubleshooting and repairing keychains

Administrators can edit a keychain entry by double-clicking it. Alternatively, administrators can create new keychain entries by clicking File | New Keychain. The default location for new keychains is within the user's Keychains folder (located within the user's Home directory).

Keychains can be deleted from directories by highlighting them and clicking File and selecting Delete Keychain. This step sometimes proves helpful when troubleshooting a failed wireless network connection, for example. With a failed entry eliminated, assigning a new password to the wireless network may enable proper authentication.

On occasions in which keychain corruption occurs, verifying and repairing the keychain entries in question sometimes corrects these issues. To repair a keychain entry, open the Keychain Access utility, select the keychain in question, click File, then select Unlock Keychain. You'll be prompted to enter the keychain's password. Once the password is entered, click Keychain Access and select Keychain First Aid. Enter the password again, and then select Verify to confirm the keychain's integrity, or select Repair to fix issues that might be found. Clicking the provided Start button begins the verification or repair.

Resetting account passwords

Some confusion exists regarding resetting a Snow Leopard machine's account passwords. I've met computer professionals who believed a Mac needed the operating system reinstalled should the root password be misplaced or forgotten. That's incorrect.

Apple includes a password reset utility on the Mac OS X installation disk. To reset a Mac system's root password, the Mac OS X disk must be inserted in the Mac when it starts, and the C key must be depressed while the system is starting. The Installer will boot the machine. From the Mac OS X Installer window, administrators can choose the Reset Password option from the Utilities entry within the menu bar and reset the password for any local user account on the system.

Get enterprise Mac tips and features delivered to your inbox by susbscribing to TechRepublic's Macs in Business newsletter, which delivers each Thursday. Automatically sign up today!


Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...


Is there anyway to auto-update certain passwords when the main keychain password is updated? For instance, if I change my work network password, I have to shut the Mac down, hard-wire it to the network, login with the new password, update the keychain password with the new one, and then manually update my Exchange and WPA passwords in the keychain. I want those two passwords to always be the same as the main keychain password.


Nice work but ... what if you've forgotten the keychain's password? I am currently trying to figure out how to upgrade software and the password is not correct. The password I use to unlock the machine on startup works, but nothing else. I am unable to use Keychain First Aid as the system will not accept my password. Currently, I have a 16GB Mac Pro which sits waiting for new software but no matter which password I use, it still refuses to accept them. I've tried the reboot from the System disc but that's fine if you want to change the passwords and not the keychain. Any ideas?


I never thought it was this easy! I'll keep a note of this.


Thanks for a great "Intro to Keychains" article. One thing that I noticed is that someone (perhaps an editor) changed slashes to backslashes in the Keychain paths in the article. Mac OS X uses the same path delimiter as Unix/Linux, namely a slash ("/"). The article mistakenly substitutes a Windows-like backslash ("\"). The other note is regarding changing a user's password with the OS X DVD. What that will work to get into a normal user account if you have physical access to the machine, if that user is FileVaulted, it will still not get you to their data. The only way to a FileVaulted user's data is with the user's original password, or by using the "Master" password, if it was set by IT or the user and is known. Otherwise, the FileVaulted data is inaccessibly encrypted and essentially gone.

Editor's Picks