Set and Get a Keychain Password

Hey Folks,

Keyboard Maestro has two actions for working with the OSX Keychain:

A) Set Keychain Password to Text
B) Set Variable to Keychain Password

When I first started fooling with item B I noted that it worked with some passwords and failed with others – so I gave up and ignored it.

Since the issue has come up on the forum a couple of times since then, I asked Peter to explain and got the straight scoop.

These actions ONLY work with Generic Passwords – they do NOT work with Internet Passwords – which completely explains the problems I was having.

This one macro is an example of Setting a Keychain Password and then Getting it.

-Chris


Set and Get a Keychain Password.kmmacros (3.2 KB)

Hey Folks,

Alright. Let us suppose that you want to make use of the Internet Passwords in your OSX Keychain and don't want to create Generic duplicate entries for Keyboard Maestro to use.

This is possible using the security command-line tool. (Enter man security in the Terminal for more info.)

security find-internet-password -a my_account_name -l my_keychain_item_name -w

security has many features and is fairly intimidating, but as it turns out it's not all that difficult to extract passwords from the Keychain.

-a == Account name (as seen in the Keychain item)
-l == Label name (name of the Keychain item)
-w == Return the Password

There is quite a bit of data available and several more search-terms, but if you want to know more you'll have to do some research on your own.

When you run your macro you'll be asked whether or not to allow the password to be found (this once – or always).

NOTE: Giving the security command-line tool permission to always access your Keychain can reduce the security of your system a bit, so it's desirable to know what you're doing.

-Chris


Get Internet Password from the OSX Keychain.kmmacros (3.4 KB)

So in effect it’s like giving trust to another system module and if someone finds a way to comprise that module they now also have full access to the keychain. Would that be correct?

If you allow the security tool to read your keychain, that means any code running on your Mac as your user could potentially read that password without any permission from you.

This is similarly true about reading a password from Keyboard Maestro, since any code on running on your Mac as your user can execute macro actions.

No idea. I'm still using Sierra...

Peter, my apologies for bringing up an old, 2016 thread, but since this is about security it is an important topic that well all need to clearly understand.

So, if I understand you correctly, there is NO way to use my macOS Keychain securely with KM, correct?

Whereas, the KM interface with 1Password does allow for full security, because the 1PW master PW will be required, correct?

If so, do you have a good example of getting a password from 1PW using KM, as of KM Ver 9+?

Thanks.

When you write a password with the Set Keychain Password to Text action, by default, Keyboard Maestro has access to the password whenever the login Keychain is unlocked. So you can lock the login Keychain, and then you would need to unlock it.

But you can also open the Keychain Access tool, find the password entry, and remove Keyboard Maestro Engine from having unrestricted access to the password. Then whenever Keyboard Maestro Engine wants to read the password, the system will ask for permission and you will have to enter the login password.

If you do this, and use a Password variable, so the variable is not stored anywhere, then the security should be relatively high. Keyboard Maestro would not have access to the password except after you typed your password in. And even if I expose running instances, I would not expose the value of a password variable.

Hi, @JMichaelTX, you can set up a keychain with a master password similar to 1Passwort.
Sorry, the video is in German, but the steps should be understandable:

Chris or others,

I believe I now better understand your terminal command script to deliver an internet password. However, the difficulty I'm having is with a "Web form password". Reading through the man security command information, I don't see any reference or commands to display these passwords.

Does that suggest it is not possible to access or display these and thus requires the "My Goofy Keychain Password" (i.e. Generic duplicates) approach for use with Keyboard Maestro?

Hey Anthony,

I show in post 2 exactly how to get an Internet Password from the Keychain using the 'security' shell command.

But let's try to clarify things a little bit.

* Note -- the values in the image are bogus, and I have a strong password.

image

# Command Format:
# security find-internet-password -a Keychain_Item_Account_Name -l Keychain_Item_Name -w

# Working Command:

security find-internet-password -a ccstone_GitHub -l github.com -w

I just verified that this still works on macOS Sierra.

When you first run it the system will ask you to unlock the keychain item to get the password. If you select the always allow button you won't have to unlock it the next time you run your macro.

However -- when the keychain locks -- you'll have to grant Keyboard Maestro access again.

You can manually lock the keychain, or you can set it to auto-lock after a certain number of minutes. I also believe it is automatically locked when you log-out, shut down, or restart.

-Chris

Chris,

Your response is clear! However, the question is does it also work when the Keychain Accsss kind is Web form password? I have not been able to successfully obtain the password so far. Please show the terminal statement that you would recommend for the following Keychain item:

Thank you very much,

Anthony

Try this:

security find-internet-password -a feddal -l 'online.americanexpress.com (feddal)' -w

It works on my system with my credentials for a given web-form-password.

-Chris