Mac maintenance
Mac Keychain Explained (and How to Recover It)
Mac Keychain stores passwords, certificates, and secure notes. Here's how it works, where data is stored, and how to fix it when something goes wrong.
You’re sitting in front of your Mac and a dialog asks for your “Login Keychain password.” You haven’t seen this dialog in years. You type your account password — and it’s rejected. Now Safari can’t autofill anything, your Wi-Fi password is forgotten, your email accounts are asking for re-authentication, and the password manager built into macOS that’s quietly worked for you for the past decade has decided to stop.
The Mac Keychain is one of the longer-running pieces of OS X / macOS — it’s been around since Mac OS 8.6 in 1999. It’s also one of the most invisible: when it works, you never think about it. When it doesn’t, half your apps misbehave. Knowing what it actually is, where it lives, and how to fix it without losing everything in it is one of the more practical Mac skills.
What the Keychain Is
A keychain is an encrypted database of secrets. Each entry can hold:
- Passwords — for websites, Wi-Fi, mail accounts, app credentials
- Certificates — TLS client certs, code signing certs, S/MIME certs
- Keys — private keys associated with certificates
- Secure notes — arbitrary encrypted text
- Application passwords — credentials saved by apps that integrate with Keychain
The whole database is encrypted with a master password. By default, your Login Keychain’s master password is the same as your account password — so when you log in, the keychain unlocks automatically.
The Multiple Keychains
Most Macs have several keychains active simultaneously. Open Keychain Access at /System/Applications/Utilities/Keychain Access.app to see them in the sidebar:
- login.keychain-db — your personal passwords, unlocked at login
- System — for system-level credentials like Wi-Fi passwords (admin auth required)
- iCloud — synced via iCloud Keychain (more on this below)
- System Roots — Apple’s trusted root certificates, read-only
The actual files are at:
~/Library/Keychains/login.keychain-db— Login Keychain/Library/Keychains/System.keychain— System Keychain~/Library/Keychains/<UUID>/keychain-2.db— iCloud Keychain (cloud-synced)
The .keychain-db extension is SQLite-based, used since macOS Sierra. Older .keychain files are still readable but new keychains are always created in the new format.
How It Decrypts Itself
Here’s what happens at login:
- You type your account password
- macOS uses the password to derive a key
- That key decrypts the Login Keychain
- Once decrypted, the keychain stays unlocked until logout (or a configured idle timeout)
If your account password and your Login Keychain password ever diverge — usually because the password was changed via some unusual path, like resetting via iCloud — the automatic unlock breaks. The keychain still has its old password; the system tries the new one and fails.
This is the most common reason people see the dreaded “Login Keychain Password” dialog. The fix is either to provide the old password (if you remember it) or to reset the keychain (and lose everything in it).
Browsing What’s In There
Open Keychain Access, select “login” in the sidebar, and you’ll see every entry. The “Kind” column tells you what type:
- internet password — saved web logins
- application password — apps that store credentials
- secure note — encrypted notes you’ve added
- private key — cryptographic keys
- certificate — public-key certificates
Double-click any entry to see details. To see the password itself, click “Show password” and authenticate. macOS will require your account password (for sensitive entries, multiple times).
The search field at the top filters entries. Useful searches:
- The domain of a site you can’t remember the login for
- The email address you used somewhere
- A keyword from a secure note
Keychain First Aid (RIP)
For years, Keychain Access had a “Keychain First Aid” menu item to repair corrupted keychains. Apple removed it around macOS Sierra. The replacement is a more involved process.
If your keychain is genuinely corrupt — entries missing, weird errors when accessing it, sync problems — the modern fix is:
- Quit all apps that use the keychain
- Move the keychain file to your Desktop:
mv ~/Library/Keychains/login.keychain-db ~/Desktop/login.keychain-db.bak - Log out and log back in (a new, empty Login Keychain will be created)
- If the new one works, your old keychain was corrupt
- Try to import entries from the backup using Keychain Access → File → Add Keychain
The “import the old one” step often partially succeeds. You may recover most entries even from a damaged keychain.
”Keychain Wants to Use Login” Dialogs
That recurring dialog — “Keychain wants to use the login keychain” or ”
This can spike to dozens of dialogs per session if:
- An app’s signature changed (after an update) so the keychain doesn’t recognize it as authorized
- Your keychain was reset and apps are re-authorizing themselves
- An app is checking the keychain repeatedly in a loop
To grant always-allow access, click “Always Allow” instead of “Allow.” You can later edit access in Keychain Access by double-clicking an entry and viewing its Access Control tab.
If the dialogs persist for a specific app, the app’s binary may have been replaced by an update with a different code signature. Re-saving the credential in the app usually clears it.
Resetting the Keychain Password
If you know the current password but want to change it:
- Keychain Access → Edit → Change Password for Keychain “login”
- Enter the current password and the new one
If you don’t know the current password and your account password no longer unlocks the keychain (the divergence problem from earlier), you’ll need to reset the keychain — which deletes its contents.
To reset:
- Keychain Access → File → Delete Keychain “login”
- Choose to delete it
- Log out and back in, and a new Login Keychain is created
Reset means losing every saved password, certificate, and secure note in that keychain. Don’t do this casually. Try the alternatives first:
- If you remember the old account password, set it back temporarily, log in, then change it via Keychain Access → Change Password (which updates the keychain too)
- Use iCloud Keychain entries if they’re synced — those survive a Login Keychain reset
Keychain Access Hidden Features
A few useful things buried in Keychain Access menus:
- File → New Password Item — manually add a credential
- File → New Secure Note Item — store arbitrary encrypted text
- File → Import Items — import from a
.keychainfile or various formats - Keychain Access → Settings → First Aid — automatic check (returned in newer macOS as a basic verification)
- View → Show Expired Certificates — useful for cleaning up stale certs
- Keychain Access → Certificate Assistant — built-in tools for creating self-signed certs and certificate signing requests
The Certificate Assistant is a surprisingly capable certificate-management tool that ships with macOS, useful for everything from signing internal projects to setting up secure development environments.
There’s a faster waySweep does this kind of cleanup automatically. Try Sweep free →
When the Keychain Is “Locked”
Sometimes you’ll see “Keychain locked” in the sidebar (a lock icon). This means the keychain’s encryption key isn’t currently available — either because of an idle timeout or a manual lock. To unlock, double-click and provide the password.
You can also adjust idle behavior: select the keychain in the sidebar, and choose Edit → Change Settings for Keychain “login.” Options include:
- Lock after N minutes of inactivity
- Lock when sleeping
For sensitive Macs, locking after 5 minutes of inactivity is a reasonable middle ground.
Wi-Fi Passwords Specifically
Wi-Fi passwords get stored in the System Keychain (not Login Keychain), because they need to be available before any user logs in. To see a saved Wi-Fi password:
- Open Keychain Access
- Select “System” in the sidebar
- Search for the network name
- Double-click the entry, click Show Password
- Authenticate with admin credentials
This is how to “remember” a Wi-Fi password for a network you joined ages ago. The password is right there.
The Command Line Path
The security CLI tool exposes most keychain operations:
To list all keychains:
security list-keychains
To find a specific item:
security find-internet-password -s "example.com"
To get the password (will prompt for permission):
security find-internet-password -s "example.com" -w
To unlock a locked keychain:
security unlock-keychain ~/Library/Keychains/login.keychain-db
This is occasionally useful in scripts. For everyday work, Keychain Access is friendlier.
What Goes in the Keychain (and What Doesn’t)
Worth knowing what’s stored where:
In Login Keychain:
- Saved Safari logins (when iCloud Keychain is off)
- App-saved passwords (Mail, Messages account creds)
- VPN credentials
- Code signing identities
- Per-user certificates
In System Keychain:
- Wi-Fi passwords
- System-wide certificates
- Some hardware-related keys
In iCloud Keychain (separate sync system):
- Safari passwords (when iCloud Keychain is on)
- Apple Pay payment methods
- Passkeys
Not in any keychain:
- Browser extensions’ saved data (lives in extension storage)
- 1Password, Bitwarden, etc. (their own encrypted vaults, separate from macOS keychains)
- Preferences that look like passwords but aren’t (
defaultsdata)
When to Reach for Keychain Access
Day-to-day, you mostly don’t. The keychain works invisibly. The reasons to actually open it:
- Recovering a saved Wi-Fi password
- Investigating why an app keeps prompting for credentials
- Cleaning up old/unused credentials
- Looking up a saved login for a site Safari can’t autofill anymore
- Importing or exporting credentials to/from another Mac
- Resetting after corruption
It’s a tool you use occasionally and intensively, not constantly. When you need it, knowing where the entries live and how to interpret them makes the difference between recovering in five minutes and starting over from scratch.