Information
The login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. The approach recommended here is that the login keychain be set to lock when the computer sleeps to reduce the risk of password exposure. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organizations using keychain aware applications extensively.
In previous versions of the Benchmark there were recommendations for inactivity timeouts and maintaining individual keychains. The user experience with a short inactivity timeout is difficult. Users will be unlocking the keychain often to all keychain aware applications access. This benchmark lengthened the inactivity timeout substantially in the past to keep the inactivity control. At this time it has been dropped. The compensating controls of a screen lock, lock when sleeping, and the built-in keychain encryption make the control allows for a small residual risk.
Early guidance, including in this Benchmark, recommended the use of additional keychains as needed to separate confidentiality levels or separate user domains (work, school, volunteer groups...) At his point, particularly with the availability of iCloud Keychain key segregation is a niche use case. Recent recommendations on distinct keychains is very rare.
Rationale:
While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password-protected programs and/or systems in the absence of the user.
Impact:
The user may experience multiple prompts to unlock the keychain when waking from sleep.
Solution
Perform the following to set the login keychain to lock on sleep:
Graphical Method:
Open Keychain Access
Select the login keychain
Select Edit
Select Change Settings for keychain login
Set Lock when sleeping
Terminal Method:
For each user, run the following command to set the login keychain to sleep on lock:
$ sudo -u <username> security set-keychain-settings -l /Users/<username>/Library/Keychains/login.keychain
example:
$ sudo -u firstuser security set-keychain-settings -l /Users/firstuser/Library/Keychains/login.keychain