Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exporting (iCloud) Keychain and Safari credentials to a CSV file

Exporting (iCloud) Keychain and Safari credentials to a CSV file

Update (October 2021)

Exporting password + one-time code data from iCloud Keychain is now officially supported in macOS Monterey and Safari 15 (for Monterey, Big Sur, and Catalina). You can access it in the Password Manager’s “gear” icon (System Preferences > Passwords on Monterey, and Safari > Passwords everywhere else), or via the File > Export > Passwords... menu item). You shouldn't need to hack up your own exporter anymore.

Original, Obsolete Content (2014)

After my dad died, I wanted to be able to have access any of his online accounts going forward. My dad was a Safari user and used iCloud Keychain to sync his credentials across his devices. I don’t want to have to keep an OS X user account around just to access his accounts, so I wanted to export his credentials to a portable file.

This is the process I used to create a CSV file of his credentials in the format “example.com,user,pass”. This portable format would be pretty easy to import into 1Password or Safari in the future.

The way I went about this isn’t great; it opens up more opportunities for apps to control one’s Mac through Accessibility APIs, it writes plaintext passwords to disk, and it could use some cleaning up. A better approach might leverage the security command line tool that ships with OS X. That said, I found this method to be a fun illustration of what’s possible using AppleScript (or JavaScript!) and UI scripting on OS X.

Copy the iCloud Keychain into a local Keychain

One’s iCloud Keychain is stored on disk in a different format than a traditional keychain. To access the credentials, I first created a traditional keychain with the iCloud Keychain’s contents. To do this, I clicked File > New Keychain (⌥⌘N) in Keychain Access. In my case, I saved the new keychain to the desktop. I clicked on iCloud in the sidebar, selected all of the passwords, and copied them. I selected the new keychain I just created and pasted the passwords.

Screenshot of Keychain Access asking for the "Local Items" keychain password

Keychain Access prompted me for the “Local Items” keychain password for every password I was pasting. In my case, this would have been over 200 times!

Automating typing the keychain password and clicking “OK”

I ran the following script to take care of this:

-- Taken from a comment by Mr. X on http://selfsuperinit.com/2014/01/20/exporting-icloud-keychain-passwords-as-a-plain-text-file/
set keychainPassword to "keychain password"

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            set value of text field 1 of window 1 to keychainPassword
            click button "OK" of window 1
        end tell
        delay 0.2
    end repeat
end tell

Whatever process is running this script (Script Editor or a standalone bundle), it’ll need permission to “control your computer”.

Screenshot Security & Privacy > Privacy > Accessibility

After that runs, the recently-created local keychain should contain all of the passwords stored in iCloud Keychain.

Write all of the passwords from the keychain to a file

I grabbed a copy of Daniel Jalkut’s “Usable Keychain Scripting” utility to help with the next part, but someone more sane might turn to security.

I ran the following script to write the passwords out to disk:

set the logFile to ((path to desktop) as string) & "Passwords"
set keychainPath to "/Users/Dad/Desktop/dad.keychain"

-- write_to_file taken from http://www.macosxautomation.com/applescript/sbrt/sbrt-09.html
on write_to_file(this_data, target_file, append_data)
    try
        set the target_file to the target_file as string
        set the open_target_file to open for access file target_file with write permission
        if append_data is false then set eof of the open_target_file to 0
        write this_data to the open_target_file starting at eof
        close access the open_target_file
        return true
    on error
        try
            close access file target_file
        end try
        return false
    end try
end write_to_file

tell application "Usable Keychain Scripting"
    set keychainItems to get every keychain item of keychain keychainPath
    repeat with keychainItem in keychainItems
        set aServer to server in keychainItem
        set anAccount to account in keychainItem
        set aPassword to password in keychainItem

        set csvEntry to aServer & "," & anAccount & "," & aPassword & "
"

        my write_to_file(csvEntry, logFile, true)
    end repeat
end tell

There’s a lot that can be improved with this code. For instance, I could have used a consistent naming style between copied and non-copied code. If I took the time to look up an array or list "join" routine, the intent of the could could have been better communicated.

Here again, OS X’s Keychain wanted to do its job, prompting me to allow access for each of the 200+ items.

-- Taken from a comment by Mr. X on http://selfsuperinit.com/2014/01/20/exporting-icloud-keychain-passwords-as-a-plain-text-file/
tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            click button "Allow" of window 1
        end tell
        delay 0.2
    end repeat
end tell

After that, I had my file. Inelegant, but it got the job done, and I had fun.

@rmondello
Copy link
Author

rmondello commented Oct 14, 2019

Does anyone have a preferred fork that’s fixed the issues that have been commented on? I’d be happy to update the gist to match.

@recoi1er
Copy link

recoi1er commented Nov 20, 2019

Not working now, the password box closes itself and there is no way to unlock automatically again or to keep activated. (macos catalina)

Yep same problem for me too. After 30 seconds or so the preferences lock. On Mojave.

I am getting same problem as @nac6 https://gist.github.com/rmondello/b933231b1fcc83a7db0b#gistcomment-3047534

Any luck editing script?

I am having the same issue, looks like it's a Safari 13.03 issue (unless you have something different?) Seems to have worked on 13.01 still. I am not sure how to stop it from timing out like that, I even tried moving my mouse around while it did it's thing but it still timed out. Perhaps it's looking and seeing the methodical churn through all the passwords? Just spit balling here

@recoi1er
Copy link

recoi1er commented Nov 20, 2019

I messaged the creator of this (Mike) and he said you need to have Safari closed out completely (quit it) and then run the script. I just tried it out and it’s been working my 400+ passwords for about 6 or so minutes without a hitch! Wanted to spread the word, happy exporting!

@nac6
Copy link

nac6 commented Nov 20, 2019

Excellent news. I'll give it a go. Thanks.

@dylan-chong
Copy link

dylan-chong commented Dec 17, 2019

Thank you @recio1er it worked!

@recoi1er
Copy link

recoi1er commented Dec 17, 2019

@dylan-chong glad it’s working for you!

@ppquadrat
Copy link

ppquadrat commented Apr 13, 2020

Thank you, it has worked on Mojave, Safari 13.1
I downloaded the mrc-converter-suite, closed Safari and ran the Get_Safari12_Passwords.applescript script

@alexbegg
Copy link

alexbegg commented Jun 4, 2020

I messaged the creator of this (Mike) and he said you need to have Safari closed out completely (quit it) and then run the script. I just tried it out and it’s been working my 400+ passwords for about 6 or so minutes without a hitch! Wanted to spread the word, happening exporting!

It appears that they have now updated the Get_Safari12_Passwords.applescript script to prompt you if you want to close Safari, and if you click OK it will close Safari for you

@JoseSarmiento
Copy link

JoseSarmiento commented Jun 23, 2020

Confirmed working for me as well!

@recoi1er
Copy link

recoi1er commented Jul 8, 2020

I can confirm that it is definitely not working and it brings the following error:

error "„System Events“ hat einen Fehler erhalten: „scroll area 1 of group 1 of group 1 of window \"Passwörter\" of application process \"Safari\"“ kann nicht gelesen werden. Ungültiger Index." number -1719 from scroll area 1 of group 1 of group 1 of window "Passwörter" of application process "Safari"

OS: Catalina 10.15.5
Safari: 13.1.1

At what stage is this happening at? "definitely not working" without any context definitely doesn't help get to the root of your issue when your error is in another language!

@Playermdude
Copy link

Playermdude commented Aug 19, 2020

I have no programming experience. Can someone dumb this down for a non-coder so I can retrieve my passwords?

Am I supposed to substitute anything in the code or just copy and paste it as it is? What am I supposed to name my files, keychain, etc to make this run properly?

@recoi1er
Copy link

recoi1er commented Aug 19, 2020

I have no programming experience. Can someone dumb this down for a non-coder so I can retrieve my passwords?

Am I supposed to substitute anything in the code or just copy and paste it as it is? What am I supposed to name my files, keychain, etc to make this run properly?

Read the instructions a couple times to where it applies to what password list you are exporting from and the convert section. You do not need to "code" anything but you need to replace values that match what you have on your end (if anything in the gray text bars - the text you input in your command interface - is italicized then it will need to be replaced with a value on your end, sufficient examples are provided). The instructions tell you exactly what to name your exported files as well, you can choose any name but it's easier to use the ones picked in the instructions for following along.

@IvanExpert
Copy link

IvanExpert commented Aug 24, 2020

Just went through all of the above -- thank you for all of you especially @rmondello who've put work into figuring this out and commenting on it! Here's what I experienced:

  • The Get_Safari12_Passwords.applescript found in mrc-converter-suite works great under Safari 13.1.2 on Catalina 10.15.6. Very impressive, and this is probably the best and easiest solution for most people at this point, since the most important thing in most iCloud Keychains is web form passwords. (One hitch I ran into is that I had my Safari set to reopen windows from last session -- and if that meant no windows were open, the script wouldn't work. Once I made sure Safari had at least one window open, it ran fine.)

  • But I wanted to get all of my iCloud Keychain, including WiFi passwords, application passwords, etc. And I wanted it to stay as a keychain, rather than turn into a spreadsheet.

  • As others above observed, copying and pasting in Keychain Utility from the iCloud/Local Items keychain to a new keychain, using 10.13.4 and later, no longer works, apparently due to an Apple bug.*

  • Not having an older machine handy, I installed 10.11.6 into a Parallels VM.**

  • Once I got 10.11.6 up and running, I was able to load my iCloud Keychain, then turn it back into "Local Items" by signing out. From there I was able to Select All, Copy, Paste, as described in the original gist.

  • I then tried to use the AppleScript for the password entry -- we were talking almost 600 items. However, I'd occasionally hit an error (either an invalid parameters passed to function error, or a duplicate entry), and that would throw off the script. So I changed my user password in the El Cap VM to no password at all. Then I just held down the return key, pausing to press it to dismiss errors, then resuming holding it down. I zipped through it pretty quickly.

  • My new keychain appeared to be incomplete, but quitting and relaunching Keychain Utility resolved that. It contained about 578 of my 596 original entries, so I considered that to be good enough, and it seemed consistent with the number of errors that I hit.

Thanks again to @rmondello and all who commented here. I never would have gotten this done without you.

* As a workaround for copy-paste not working in 10.13.4+, I wonder if it's possible, using GUI scripting, to open each and every keychain entry and manually copy out all of its elements into a new entry. It would certainly be fragile. I'm not going to find out.

** Getting 10.11.6 running in a VM was a substantial challenge in and of itself, because while Apple lets you download it freely, what you get is an installation package, which installs the macOS Installer app that Parallels needs. But the package refuses to run on hardware that won't support it (i.e. a newer Mac). So I ended up having to install Catalina into Parallels (which is easy, because Parallels lets you install from the Recovery Disk automatically). From there, I could run the package installer in the El Capitan disk image, without concern for the underlying hardware. That got me an El Capitan Installer app, which I was able to copy to my host OS via file sharing, and Parallels was able to install 10.11.6 from that.

Copy link

ghost commented Nov 19, 2020

Can someone post a final code/script for Big Sur?

@recoi1er
Copy link

recoi1er commented Nov 19, 2020

Can someone post a final code/script for Big Sur?

Does it not work for you in Big Sur?

Copy link

ghost commented Nov 19, 2020

Can someone post a final code/script for Big Sur?

Does it not work for you in Big Sur?

There's just so much information here that I don't quite understand how to put together into one script that I can run. I'm not really tech inclined.

@recoi1er
Copy link

recoi1er commented Nov 19, 2020

Can someone post a final code/script for Big Sur?

Does it not work for you in Big Sur?

There's just so much information here that I don't quite understand how to put together into one script that I can run. I'm not really tech inclined.

The guide tells you exactly what to do, you don't need any tech inclination, just be able to read thoroughly. I suggest you read the entire read me as to what pertains to what you are trying to do and try it

Copy link

ghost commented Nov 19, 2020

Can someone post a final code/script for Big Sur?

Does it not work for you in Big Sur?

There's just so much information here that I don't quite understand how to put together into one script that I can run. I'm not really tech inclined.

The guide tells you exactly what to do, you don't need any tech inclination, just be able to read thoroughly. I suggest you read the entire read me as to what pertains to what you are trying to do and try it

There are several comments stating errors occurred even by just reading it thoroughly. And since no one has tried it yet with Big Sur, and it didn't work for me trying, I need to know workarounds or what to do. I'd be willing to hire someone to do it as this has been a big headache of mine with Apple.

@recoi1er
Copy link

recoi1er commented Nov 19, 2020

Can someone post a final code/script for Big Sur?

Does it not work for you in Big Sur?

There's just so much information here that I don't quite understand how to put together into one script that I can run. I'm not really tech inclined.

The guide tells you exactly what to do, you don't need any tech inclination, just be able to read thoroughly. I suggest you read the entire read me as to what pertains to what you are trying to do and try it

There are several comments stating errors occurred even by just reading it thoroughly. And since no one has tried it yet with Big Sur, and it didn't work for me trying, I need to know workarounds or what to do. I'd be willing to hire someone to do it as this has been a big headache of mine with Apple.

I see, well start by not using the script at the top. This is what you need to use: https://1password.community/discussion/30286/mrcs-convert-to-1password-utility-mrc-converter-suite

Copy link

ghost commented Nov 19, 2020

Thanks. I much prefer remote assistance with this as I don't know what I'm doing, so I'll keep looking elsewhere I guess until someone is able to assist remotely. Appreciate your response.

@recoi1er
Copy link

recoi1er commented Nov 19, 2020

Thanks. I much prefer remote assistance with this as I don't know what I'm doing, so I'll keep looking elsewhere I guess until someone is able to assist remotely. Appreciate your response.

You downloaded the package and read the guide thats in there? It seriously lays out exactly what you need to do. step. by. step.

Copy link

ghost commented Nov 19, 2020

Thanks. I much prefer remote assistance with this as I don't know what I'm doing, so I'll keep looking elsewhere I guess until someone is able to assist remotely. Appreciate your response.

You downloaded the package and read the guide thats in there? It seriously lays out exactly what you need to do. step. by. step.

No need to be rude. Some people prefer to do things with assistance. Have a good day.

@farialima
Copy link

farialima commented Nov 2, 2021

This didn't work for me, my keychain must have been weirdly screwed up (didn't want to be exported...)

So instead I wrote a one-step script that does the whole work in one step -- see this gist

@rmondello
Copy link
Author

rmondello commented Nov 2, 2021

Hi y’all,

I wanted to let you know that exporting password + one-time code data from iCloud Keychain is now officially supported in macOS Monterey and Safari 15 (for Monterey, Big Sur, and Catalina). You can access it in the Password Manager’s “gear” icon (System Preferences > Passwords on Monterey, and Safari > Passwords everywhere else), or via the File > Export > Passwords... menu item).

I hope you’ll find the format to be reasonable!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment