Why do I have to keep entering my keychain password in Sierra?

keychain2

When you start your Mac up, you should normally have to enter the password for the username with which you log on, and you are likely, sooner or later, to be prompted to enter the password for your Apple ID, which gives you access to iCloud, the App Store, iTunes Store, Messages, and all the other creature comforts which Apple offers.

You should not, normally, be prompted to enter your password to unlock your keychain.

Each user on a Mac has their own keychain which is routinely opened when they log in – hence it is named, by default, login. This should be opened when you log in, and left open. If you want to inspect secure information in that keychain, such as a saved password, you will normally be prompted for the password for that keychain.

The default password for your login keychain is your normal user login password, which should ensure that you only have to enter that once. If your login keychain has a different password, then you will be asked to enter that different password once you have logged in. It is thus normally best to leave the login keychain password set the same as your normal user password.

Keychains, including the login one, can also be locked, in which case you will be prompted for the password for that keychain in order to unlock it, should you or any app wish to access it. Normally, your login keychain is left unlocked while you are logged in, sparing you from having to keep entering your password to grant access to it. Sometimes that goes wrong, and the login keychain becomes locked, and may be set to remain locked: you will notice this when you are repeatedly asked to enter your password to unlock the keychain.

keychain1

The bundled tool which gives access to keychains, and is used to maintain them, is Keychain Access, found in the /Applications/Utilities folder. When you first open that app, it defaults to showing your login keychain, as listed in the keychains at the upper left of its window. The icon in the window bar above should be an open padlock, to confirm that this keychain is currently unlocked. If you click on the padlock, it will lock that keychain; click on it a second time to open it, and you will be prompted to enter the password for that keychain.

keychain2

If you’re being troubled by repeated dialogs asking you to enter the password to unlock your login keychain, first make sure that it is unlocked. With the login keychain selected at the upper left, use the Edit menu command to Change Settings for Keychain “login”… That will drop a dialog over the window, in which you should ensure that both the checkboxes are left unchecked.

keychain3

The first of those checkboxes is normally the one which has been causing problems. If it is checked, your Mac will automatically lock your login keychain after the set period of inactivity. That can be very useful in open plan offices and similar places where you want to ensure that others cannot access anything secure on your Mac. But the disadvantage is that you will have to keep entering your password to re-open the login keychain after each period of inactivity.

The second checkbox simply ensures that the keychain is locked whenever your Mac goes to sleep; when checked, it will mean that every time that you wake your Mac up from sleep, you will have to enter the login keychain password to unlock again.

Save any changes, check again that the login keychain is unlocked, and quit Keychain Access.

The other common cause of keychain problems occurs when you (or a system administrator) reset your password, which causes the password used when logging in to become different from that used for the login keychain. If that happens, it is easily corrected in Keychain Access, selecting the login keychain, and changing its password to that now used to log in, through the command in the Edit menu.

If you need to do that, you will be prompted to enter your old password for that keychain, i.e. the password which you used before it was changed. If you can’t remember that, you will have to create a new login keychain, but will lose all the passwords and other information in your old one. To do that, select the login keychain, then open Preferences. Click on the button at the bottom, reading Reset My Default Keychain.

keychain4

If these do not fix the frequent requests to unlock your keychain, it is most likely that an app or background process is to blame. You will then have to work out which – something which is not that easy. It may help to start up in Safe mode to eliminate third-party extensions and similar.

Very occasionally, a keychain becomes damaged. Keychain Access used to link to a repair tool, but that enabled malware to tinker with keychains, so for the sake of improved security, Apple removed that in OS X 10.11.2. The only way to repair a damaged keychain now is to create a new one, and copy and paste all the items from the damaged keychain into the new keychain, which is detailed here. You can then substitute the new for the old. It’s tedious, but more secure.

Finally, your keychain contains very sensitive information, which malware would love to get its hands on. When you see alerts and dialogs referring to keychains, particularly those which prompt you to enter your password, read them very carefully before proceeding. If you are in the least bit suspicious, check what’s going on before you invite potential malware into your keychain.