2) Select a keychain item (a password) and double-click it.
3) Click on the Access Control tab. You can choose which applications can access that particular password.
I think there's also a group system, and there's a group called "InternetAccounts", but most of the passwords I see have an access list (which I haven't modified) that only includes one application, usually Safari or Mail, but I also see "NetAuth" and "NetAuthSysAgent" for passwords I use for file sharing.
You can also make it so keychain access requires you to type the keychain password in every time a particular password is accessed, and you can also put passwords in separate keychains that use different passwords.
I am aware of that. Let's look at Mail passwords - Mail is the App with designated access on that pane.
Now, if the entire Keychain is unlocked, Mail can access it when I check email. If the entire Keychain is locked, it asks for permission to use it. If I give permission, the entire Keychain is unlocked and left unlocked. It's not only access to Mail that is granted when Mail asks for validation. The entire keychain is unlocked.
Some claim to just keep their Keychain locked. People who say they keep theirs locked all the time, do they really give a password every single time they check their mail during the day, and then immediately afterwards open Keychain Access and relock it? That's the workflow required to keep the Keychain locked. Perhaps it works OK if one uses another computer for email and internet use. If one uses email and site logins on their Mac, one either has to retype their password every single time, and every single time go open Keychain and relock it, or they are sitting with the whole Keychain unlocked.
The command discussed is an easy way to pull passwords off of people's Macs. All you need is to wait for a few moments while they are distracted. This is a flaw. All passwords stored on the system should not be available for a passerby to examine without validation. Validation is only required if one is willing to unlock and relock the Keychain constantly, after every email check and site login.
It sounds like you really haven't explored how to use Keychain access -- including some of its most basic features like ACL configuration and multiple keychains.
1) Relocking the keychain can be done through the menu bar, if you enable the keychain menu item. You don't have to open Keychain access. When I let someone else sit down at my account for a moment, I lock the keychain. This is not a very difficult "workflow". This same menu gives you a "lock screen" item.
2) If you want to unlock and lock things with finer granularity, you can put those things in different keychains. For example, put your mail password in its own keychain. When you unlock that keychain, nothing else gets unlocked.
3) If you want to make it so new applications require typing in your password before accessing a password (rather than just confirming with a yes/no dialog box) you can check the box in the password ACLs. It's a bit of a bummer that there's no global setting for this.
I think we have to weigh this against all the other bad things that someone could do when given access to your account. If the keychain containing your email password is unlocked it's basically game over, since there's so much damage they could do with your email account, and it doesn't even require getting the password.
The fact that a Keychain is unlocked still only gives designated programs access to passwords and /usr/bin/security is no exception. The command from the article results in about a thousand "always allow/allow/deny" dialog boxes on my system, and there's an option for each password in Keychain to require a password to "allow" (from Get Info > Access Control, then set Confirm before allowing access and Ask for Keychain password, and clear the "Always allow access" list; admittedly, this would be a huge PITA for lots of passwords). Alternatively, if you want to "lock" every password but Mail's in one stroke, you don't need another computer: just create another Keychain with nothing but your Mail passwords, select it as the login keychain, and set the original keychain to "Lock after 0 minutes of inactivity."
2) Select a keychain item (a password) and double-click it.
3) Click on the Access Control tab. You can choose which applications can access that particular password.
I think there's also a group system, and there's a group called "InternetAccounts", but most of the passwords I see have an access list (which I haven't modified) that only includes one application, usually Safari or Mail, but I also see "NetAuth" and "NetAuthSysAgent" for passwords I use for file sharing.
You can also make it so keychain access requires you to type the keychain password in every time a particular password is accessed, and you can also put passwords in separate keychains that use different passwords.