My financial records are stored in an encrypted disk image file, with a ridiculously long password. That password is stored in my high-security keychain.
If I don't enter the keychain password, clicking "Cancel" instead, the system says "OK, then, can you give me the password to the disk image?" If I knew it, I could enter it then.
My login password is relatively strong, a compromise between security and convenience. ... My high-security keychain has a much stronger password.
Isn't that scheme fallacious?
Your "
ridiculously long" p/w is no stronger than the
weaker, albeit "
much stronger" one that unlocks your high-security keychain.
My login p/w is ridiculously weak, but there's no risk involved, because my deuced Mac(hina) is a one-person machine.
For peace-of-mind, rather than immediately necessary security, though, I use a much stronger p/w to unlock my keychain and a very significantly stronger one to unlock my sparse image.