Filed under: Terminal Tips, Mac 101
Mac 101: Reset your Mac OS X password
We've all done this.* It's time to install something or run Software Update, but first we've got to enter our password. What was it again? Oops.You can reset your password with the CD (or DVD) that came with your Mac, but if you don't have it, try this tip from Hackszine. Restart your machine while holding down the Command Key (or "Apple Key") and the "S" key. This will start your Mac up in "Single User Mode."
Now it's command line time.** Don't worry, it's just three lines:
- #sh /etc/rc
- #passwd yourusername
- #reboot
*Well, not us, but, you know...our "friend."
[Via Lifehacker]
**Update: this post has raised some understandable security concerns among our readers. Our own Mike Rose had this to say:
"Not this caveat, from a commenter at Hackazine: if you have a FileVault-protected home directory, you cannot use this hack. Changing your password from the command line will render your home directory completely inaccessible, probably permanently."
Reader Comments (Page 1 of 2)
blufire said 7:12PM on 7-17-2007
Isn't this sort of a security problem? (Even though resetting with the OS X DVD is too...)
Reply
Alan said 7:14PM on 7-17-2007
This _is_ a security problem, but only if you have physical access to the machine. Remember, you can't restart a machine remotely and be connected to it as soon as it starts. It's the same kind of security issues as leaving your computer unlocked when you leave it alone.
Reply
Terts said 7:15PM on 7-17-2007
This is not good!
Reply
Mike Piontek said 7:27PM on 7-17-2007
You can call it a security issue if you like, but it's no worse than being able to boot from a CD or external drive really. Yeah, those are potential security issues too, but Apple would be stupid to remove the functionality and it's easy to protect yourself if it's necessary.
If you're concerned about someone with physical access to your Mac hacking in, just set a firmware password. It will prevent this and many many other ways of getting into your computer. http://docs.info.apple.com/article.html?artnum=106482
Reply
awaspaas said 7:27PM on 7-17-2007
Unless there's an open firmware password, if you have physical access to a machine, you can get into it (and even open firmware passwords aren't unbreakable).
This is no secret! Why do you think datacenters have keycard locks?
This is a helpful hint, NOT a security vulnerability.
Reply
three30three said 7:28PM on 7-17-2007
This has always bothered me about OSX, being able to reset the password. Sure you need physical access to the machine, but it's still a HUGE security hole. It's an even greater concern with laptops that have sensitive material on them. If it gets stolen, all the thief has to do is reset the password and they have full access to the everything on the computer.
Reply
Cody Bromley said 7:38PM on 7-17-2007
I've used this several times.
Mainly for when I'm helping people who bought laptops with stuff pre-installed and can't afford to lose it.
You could also remove the initial config file and create a new admin.
but this one resets the password it will just create a new account for you but you can still see the other admin under accounts but I guess it doesnt really matter.
/sbin/fsck -y [Enter]
/sbin/mount -uw / [Enter]
rm /var/db/.applesetupdone [Enter]
reboot [Enter]
mac osx will run the initial first boot sequence with the BIENVEIDO! HELLO! video.
Reply
Hawkman said 7:45PM on 7-17-2007
I think posting this is a very bad idea. It should be something you can find out when needed, not something that everybody knows. (And yes, I know it's easily available, but there are - were - still an awful lot of people who didn't know this).
Reply
Michael Rose said 8:01PM on 7-17-2007
#8 -- Hawkman, I'm not sure it makes a difference. Having it here on the blog and having it as a KB article on Apple's support site (or at Hackazine, for that matter) are just as accessible, and a Google search for "reset os x password" is going to find all the methods in a microsecond anyway. Are TUAW readers responsible individuals or gimlet-eyed crackers?
As noted, this hack requires either physical access to the machine (with no firmware password set) or ssh with a preexisting admin password.
Reply
Michael Rose said 8:03PM on 7-17-2007
Also note this important caveat, from a commenter at Hackazine (and DC, please add to the post): if you have a FileVault-protected home directory, you cannot use this hack. Changing your password from the command line will render your home directory completely inaccessible, probably permanently.
Reply
artifex said 8:35PM on 7-17-2007
Sure, better most people remain ignorant about the fact that their password doesn't really make things secure on their system if it's stolen, than to put the knowledge out there so people can recover from mistakes and also figure out they need better security.
Reply
artifex said 8:41PM on 7-17-2007
Michael: when I first got my first Mac, I was playing with the Data Vault, and changed my password from the command line. Then I rebooted. I was not able to log in under that account from the GUI. So I ssh'd in, and since it couldn't unpack my home directory it threw me into the root directory. That was fine. I changed it back, exited, rebooted (not necessary except the GUI had hung and I didn't know yet which processes to kill -hup) and I logged back in.
So if you can rename the data vault file to something else and store it, I suspect you can still get back into it later once you remember your password, by first changing your login shell password back to that same password.
Reply
Chris said 9:55PM on 7-17-2007
I do consider this somewhat of a security issue. Sure it's only valid if you have physical access to the machine but this info kinda kills any chance of getting a stolen machine back.
I work at a Mac reseller and a few times now we have had people call in with reports of stolen Macs who ask that we keep an eye ouyt for their machine. The general idea is that the thief won't be able to login without the user password, making the machine somewhat useless, and will come to us seeking help. I know of atleast one machine that we recovered for the owner because of this exact scenario. I'm sure other retailers in other cities have had similar situations.
Reply
Rafe H. said 11:00PM on 7-17-2007
Note that changing the password in this way will NOT change the keychain password, and thus the keychain will remain locked upon logging in. Thus, no emails can be sent as the user, no new emails can be read, no online banking, no iTunes purchases, etc.
Reply
Scott McNulty said 11:10PM on 7-17-2007
As an IT guy I know that this might strike some as a huge security concern, but here's the dirty little secret: if someone can get physical access to your machine you're pretty much screwed. There are all sorts of nasty things that can be done to your machine if someone can get their hands on it. This post neither helps nor hinders that, but it will help those who have honestly forgotten their passwords.
Reply
Cycomachead said 12:08AM on 7-18-2007
Who cares if TUAW posts it? I mean its easy to find everywhere-which is fine, IMO. Because is you want real security you use FileVault - which encrypts the data.
Reply
orkneyearl said 1:40AM on 7-18-2007
First, to three30three: XP/Vista are no more secure. If you have physical access to the machine, you can change the admin password easy and have full file access.
Also, a note about resetting passwords in OS X. Not only will this render FileVault protected directories inaccessible, it will also hose your login keychain (which stores all your passwords for websites, etc). This means that at least SOME of your data is still safe (like banking websites and the like).
So at least it's not ALL bad news.
Reply
Mr Lizard said 3:21AM on 7-18-2007
Fingerprint reader in the trackpad might be a good idea. Plenty of laptops have fingerprint readers these days.
Reply
Mike said 10:42AM on 7-18-2007
If this post worries you, check this out:
http://www.securemac.com/disablemacosxsingleboot.php
Reply
Jason said 11:28AM on 7-18-2007
To respond to Micheal Rose:
"10. Also note this important caveat, from a commenter at Hackazine (and DC, please add to the post): if you have a FileVault-protected home directory, you cannot use this hack. Changing your password from the command line will render your home directory completely inaccessible, probably permanently."
This is not actually true. While it makes it impossible to log into that account *temporarily* if you know the Master Password you can use the command line to reset the FileVault password.
I had written an application to do this while I was working for a government agency. After Apple told me that it would be impossible to recover a FileVault account if the password was reset via Active Directory or on another computer (with Directory based accounts you can change the password from a different machine). Last time I checked Apple was distributing my application to other government agencies that required FileVault on Directory based accounts.
To re-interate something that everyone should know from Security 101 - If physical access to the computer is obtained then all security measures should be considered compromised. This is not a Mac OS X issue it effects EVERY platform. If an intruder has access to your UNENCRYPTED computer then they WILL get your data. Encryption is a whole other matter.
Reply