If you like me have used Firefox under Mac OS X, but prefer Safari for one reason or another, you might have already noticed that Safari does not support protecting your web form passwords with some kind of a master password. The reason for this behaviour is that Safari stores your sensitive passwords in the default “login” keychain that is automatically unlocked whenever you log into your OS X account and is kept unlocked until you log off. Safari is also granted an unlimited access to its entries in this keychain. The net result is that if someone gains access to your browser, he can log into all those sites that you have your passwords remembered for.
One easy remedy is to create a separate keychain and to move your site passwords there. To do that:
- Open Keychain Access from /Applications/Utilities (or just type Keychain Access in Spotlight and hit Enter).
- From the File menu select New Keychain… (or press ⌥⌘N)
- Type a name for the new keychain file, i.e. Passwords and click the Create… button.
- Pick up some good password and enter it twice in the following dialog.
- When the new keychain is created Ctrl-click (or right-click) on it in the Keychains panel and select Change Settings for Keychain “Passwords”…. Make sure that Lock when sleeping is selected and adjust if desired the automatic lock timeout. I personally set it to 20 minutes.
- Now select back the login keychain, click the Kind column header to sort keychain entries by kind and locate all of the “Web form password” entries that you want to secure and select them.
- Drag the selected entries to your new keychain (Passwords in my case). You might have to enter your login password when moving each one of them.
That’s it — your web passwords are now protected by a kind of master password, used to unlock the new keychain. Unfortunately, you’ll have to manually move all new passwords that you entrust Safari to remember from the “login” keychain to your secure store.