The password on your Mac is the primary way you will secure and prevent unauthorized access to it. If you suspect your password is compromised, decide you wish to use a different one, or have forgotten it, then there are several approaches for changing it. These range from the use of the standard system preferences, to various approaches with the Terminal, and finally with use of the Recovery and Single User modes on your Mac.
The use of the Users & Groups system preferences is the standard way to change your password, and is the recommended method for most cases where you know your current password and wish to change it:
- Go to the Users & Groups system preferences
- Select your account
- Click the “Change Password…” button next to your account icon.
In the dialogue that pops up, you will supply your old password, your new one, and then an optional hint, and your password will be changed. Note that this method is the only one that will properly update your keychain so it unlocks when you log into your account.
The Users & Groups system preferences can also be used to reset an account’s password. If you are logged in as an administrator, then you can click the lock to unlock the preferences, followed by selecting an account other than the current one, and then follow the same procedure above to reset the password. Note that unlike changing the password from within the user account, this approach will not properly update the user’s keychain.
If you are logging into a system remotely using SSH or are otherwise accessing your system via the Terminal, there are two options you can use for resetting your password: the dscl command and the passwd command. These can be run in the following manner:
dscl . -passwd /Users/username
For this command, the dot indicates the local directory on the system (though an LDAP or other directory can be specified). You can then target any account by the full path to it, and you can specify the current one automatically by several methods, including the following uses of the $USER environmental variable and the “id” command:
dscl . -passwd /Users/`id -un` dscl . -passwd /Users/$USER
Note that these commands will have to be run as root to change the password for any account but your own.
The Recovery Partition
Apple’s recovery utilities in OS X contain a number of tools for reinstalling, restoring from backup, and repairing your Mac. In addition, it contains a tool for resetting account passwords:
- Reboot your Mac and hold Command-R at the startup chimes, or insert your OS X installation disc and hold the “C” key at the startup chimes to boot from this disc. If your Mac supports Internet Recovery, then you can hold down Option-Command-R to force the loading of these tools from Apple’s servers (this will require an active internet connection).
- Select your language when prompted
- Choose the Password Reset tool from the Utilities menu. If this is not available, then choose the Terminal and then type the command “resetpassword” (all one word) and press Enter.
- In the password reset utility, select your boot drive and then select your account from the drop-down menu. Then choose the option to reset its password.
Note that as with the use of the Terminal or when resetting another user’s password via the system preferences, this approach will also break the user’s login keychain.
The above approaches should be enough to change and reset passwords on your Mac; however, you can also go about this using some alternative methods. The first is to use Apple’s service to reset your password at the login prompt using your Apple ID. This service will require you to have an Apple ID associated with your account, which can be done by going to the Users & Groups system preferences, and clicking the “Set…” button for the Apple ID in the Password section for your account.
With this ID association set up, if you fail to enter a valid password for your account at the login window, your Mac will ask you whether or not you wish to use your Apple ID to reset your Mac. Provided you have an active network connection, you will be able to follow the on-screen instructions for logging into your Apple ID and then resetting your password. Note that this setup will have to be done on a per-account basis, and will only work if you have previously set your Apple ID in the system preferences.
If you do not have an Apple ID set up, then you can also use a master password to reset others at the login window. To do this, instead of using your Apple ID, you will be prompted to enter your master password, followed by a new one for the user account. As with the Apple ID, however, this will require you have a master password set, which can be done by clicking the gear menu at the bottom of the account list in the Users & Groups system preferences.
The second fallback is to have the OS X Setup Assistant run when you next reboot your Mac. Since one feature of this assistant is its ability to create the first administrative user account for your Mac, running it will allow you create such an account, log into it, and then make changes to other accounts on your Mac. This approach may be useful if for any reason you cannot boot your Mac to its recovery mode:
- Reboot your Mac and hold Command-S at the boot chimes to load into Single User mode. This will drop you to the OS X command line with limited OS services running in the background.
- At the command prompt, run the following command to make the filesystem writable:
mount -uw /
- Remove the hidden file that trigger’s OS X to skip the setup assistant at startup:
- Restart your Mac by entering “reboot” at the command prompt.
When your Mac restarts, you will be greeted by the setup assistant, which you can run through to create your new admin account. Following this, you can log into this account, and then use the Users & Groups system preferences to change the passwords for other accounts on the system.
Your keychain contains all the passwords you use for accessing e-mail, encrypted hard disks, and accessing other online and local services on your Mac. This keychain is unlocked when you log into your Mac, so anyone may have valid concerns about its security given that you can reset your password using any of the above methods.
While there are a number of ways to change your password, the using the Users & Groups system preferences is the only way to do so while preserving the link to your login keychain. For all other methods, the login keychain will be unlinked from your password, so even though someone may be able to reset your password and log into your account, they will not have access to your other services.
If you have reset your password and have broken the link to your keychain, then you have two options available: re-associate your keychain, or create a new one. When you log into the account for which you have reset your password, if the login keychain does not work then the system will prompt you for either creating a new one or updating the current keychain’s password. To update it, you will need to know the password. Since in most cases this is the old password, if you do not know it then you will be forced to create a new keychain and re-populate it with your various passwords. This can be cumbersome at first, but once you enter your passwords again, you should be able to seamlessly access services on your Mac again.