Applications/Utilitiesfolder. If you use the Apple Mail program to check email for a Gmail account, you can view the password stored in a keychain for the Gmail account by opening the Keychain Access program and then typing
gmailin the search box at the upper, right-hand corner of the window and hitting Enter. You should then see entries displayed for
smtp.gmail.com, if you are checking email via the Internet Message Application Access Protocol (IMAP) and sending email via the Simple Mail Transfer Protocol (SMTP).
To view the stored password that is used to access the email for the Gmail account, you can double-click on the IMAP entry.
To view the password, click on the Show password check box. You will be prompted to provide your login password. Provide that password and click on Allow, or Always Allow, if you don't want to see the prompt in the future when you request such access.
You will then see the password displayed next to "Show password".
If you wish to change the password stored in the keychain, you can type a new password and click on Save Changes.
Alternatively, you can check the password from the command line, e.g., a
Terminal window using a
-ga accountname command where accountname is the name
of the Gmail account; don't include the "gmail.com" and be sure that you
capitalize the account name just as it appears in the Account field when you
view the information via the Keychain Access utility. E.g., if the Gmail
address was email@example.com, I could use the following command:
$ security find-internet-password -ga 'public.public222' keychain: "/Users/jmcamer1/Library/Keychains/login.keychain" class: "inet" attributes: 0x00000007 <blob>="imap.gmail.com" 0x00000008 <blob>=<NULL> "acct"<blob>="public.public222" "atyp"<blob>="dflt" "cdat"<timedate>=0x32303135303832353231333334325A00 "20150825213342Z\000" "crtr"<uint32>=<NULL> "cusi"<sint32>=<NULL> "desc"<blob>=<NULL> "icmt"<blob>=<NULL> "invi"<sint32>=<NULL> "mdat"<timedate>=0x32303136303330333230343432395A00 "20160303204429Z\000" "nega"<sint32>=<NULL> "path"<blob>=<NULL> "port"<uint32>=0x0000008F "prot"<blob>=<NULL> "ptcl"<uint32>="imap" "scrp"<sint32>=<NULL> "sdmn"<blob>=<NULL> "srvr"<blob>="imap.gmail.com" "type"<uint32>=<NULL> password: "ThePassword" $
The last line displayed is the password, so I could filter the output with grep, if I only wanted to see the password.
$ security find-internet-password -ga 'public.public222' | grep "password:" password: "ThePassword" $
Note: you will be prompted as to whether you wish to allow access to the information as shown below:
You can click on Allow to permit access; if you don't want to see the prompt in the future, click on Always Allow.
Other options available for the
command are shown below:
$ security find-internet-password -h Usage: find-internet-password [-a account] [-s server] [options...] [-g] [keychain...] -a Match "account" string -c Match "creator" (four-character code) -C Match "type" (four-character code) -d Match "securityDomain" string -D Match "kind" string -j Match "comment" string -l Match "label" string -p Match "path" string -P Match port number -r Match "protocol" (four-character code) -s Match "server" string -t Match "authenticationType" (four-character code) -g Display the password for the item found -w Display only the password on stdout If no keychains are specified to search, the default search list is used. Find an internet password item.
You can use the
security add-internet-password command to change
$ security add-internet-password -h Usage: add-internet-password [-a account] [-s server] [-w password] [options...] [-A|-T appPath] [keychain] -a Specify account name (required) -c Specify item creator (optional four-character code) -C Specify item type (optional four-character code) -d Specify security domain string (optional) -D Specify kind (default is "Internet password") -j Specify comment string (optional) -l Specify label (if omitted, server name is used as default label) -p Specify path string (optional) -P Specify port number (optional) -r Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ") -s Specify server name (required) -t Specify authentication type (as a four-character SecAuthenticationType, default is "dflt") -w Specify password to be added -A Allow any application to access this item without warning (insecure, not recommended!) -T Specify an application which may access this item (multiple -T options are allowed) -U Update item if it already exists (if omitted, the item cannot already exist) By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname: -T "" If no keychain is specified, the password is added to the default keychain. Add an internet password item. $
To change the password for the Gmail account firstname.lastname@example.org
in the example above to be
ANewPassword, I could use the
$ security add-internet-password -a 'public.public222' -U -s 'imap.gmail.com' -w 'ANewPassword' $
-a option is used to specify the account name, the
-U option indicates I want to change an existing account (if I omitted
it then the entry would not be updated if it already existed), the
option specifies that I'm updating the entry for the server imap.gmail.com,
-w option allows me to specify the new password.
If you enclose the password in single quotes rather than double quotes, you
can use characters, such as an exclamation mark, that might otherwise have
a special meaning to the Bash shell and thus not actually be stored as part of
the password as you expect.