Information
The login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. The approach recommended here is that the login keychain be set to lock when when the computer sleeps to reduce the risk of password exposure. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organization using keychain aware applications extensively.
Rationale:
While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user.
Solution
Perform the following to implement the prescribed state:
1. Open Utilities
2. Select Keychain Access
3. Select a keychain
4. Select Edit
5. Select Change Settings for keychain
6. Authenticate, if requested.
7. Select Lock when sleeping setting