Passwords stored in your keychain are accessible only while the keychain is unlocked, and only to the apps that have been authorized to access them. Your keychain is unlocked automatically when you login, using your login password. If that password is different than your login password for some reason, (such as having force reset your password using a boot disk) then your keychain will not unlock at login, and things like encrypted disk images will not be able to be opened by simply double clicking them.

It's also possible to have additional keychains. I've seen users that have a collection of encrypted disk images, that use different passwords. But all of these passwords are stored in an auxiliary keychain. So when the user double clicks on any of them, the KEYCHAIN will prompt for its password to unlock it, to gain access to the key. Once unlocked, all passwords in the keychain are available. So the user can select 10 disk images and open them one at a time, but only the first one will prompt for the password to the keychain, and all the rest will immediately open. Auxiliary keychains like that automatically re-lock themselves after 15 minutes iirc. This also allows you to create disk image passwords of arbitrary (military? FIPS?) complexity without having to memorize them. If someone happens to steal the DMG file, they have no way of knowing the password is stored in some auxiliary keychain somewhere that has what might be a much easier to break password. Or maybe you run a secure data hosting business and each customer's records are in a different disk image with different big random passwords, all kept in your aux keychain. If a judge subpoenas the data on one customer's DMG, you only have to give him the DMG password out of the keychain, and that restricts his access to only the data from the one customer. It's a good way to compartmentalize security without sacrificing convenience.

TL;DR: encrypted disk images whose passwords are stored in your login keychain remain secure from someone that resets your login password. However, if they get on your computer while you're logged in, and the screensaver isn't asking for your password, they WILL have access to DMGs with their password in your keychain.



I work for the Department of Redundancy Department