How to manage lost passwords in OS X

SecurityIconXThere are several ways to lock down your Mac, in order to prevent third-parties from either accessing your data, or using your system for purposes you do not intend. Since your Mac consists of several layers of hardware and software, each can be secured with a password; however, there are times when you may have forgotten your password. In these instances, you will likely be locked out; however, in most cases you should be able to recover your system.

First, as a word of advices, be sure to always have redundant and recoverable backups of your Mac. This means that having a single encrypted USB Time Machine backup drive is not enough. What happens if your Mac will not boot and you can’t remember your drive’s password? The solution here is to have redundancy. In addition to your local backup solution, have a networked Time Machine backup, and also regularly create a system clone that you physically lock away (note that drives which are physically secured do not necessarily need to be encrypted).

With your backups, you can at least restore your workflow to any system and be able to run; however, there is still the matter of what to do about your lost passwords. In some cases, the solution is easy. In other cases, the there is no direct solution so you may need to rely on your backups:

Login Passwords

This is the password for your user account, and is required to log in and unlock your Mac’s keychain. If you are missing this, then you can reset it and access your data, but will need to either remember your old password to unlock your keychain, or create a new keychain:

  1. Reboot your Mac and hold Command-R to enter Recovery mode.
  2. Choose your language then choose Terminal from the Utilities menu.
  3. Type “resetpassword” (all one word, and lowercase) and press Enter.
  4. Choose your boot drive in the utility that opens.
  5. Choose your username from the drop-down menu.
  6. Choose the option to reset your password, and follow the instructions.

When done, your password will be reset and you can login when you restart.

FileVault Passwords

If you have FileVault enabled on your Mac, then you may not be able to unlock your hard disk when you start up your Mac, even if you know the password for your account. This is especially true if you have a separate administrative account that you assigned in the FileVault system preferences for unlocking the account, but then use another user account for your daily activities. In such scenarios, even if the second user account is administrative, it will not be able to unlock the drive, so if you have lost the first account’s password, then your system will be locked.

FileVault user accounts in OS X

Here is an administrative account that cannot yet unlock the encrypted boot drive, so a lost password for the first admin account will effectively render this one inaccessible.

In these cases, FileVault has done its job to protect your data from someone who doesn’t have the password, so there is little you can do. If you saved your FileVault recovery key, then you can use it to unlock your drive, or optionally use Apple’s service to store the keys on iCloud, but if you have not done this then the only way to unlock your drive will be with the proper password. Therefore, you will need to restore your Mac from a backup:

  1. Reboot while holding Command-R to enter Recovery Mode.
  2. Choose your language then choose the option to restore from backup.
  3. Ensure your backup drive is attached to your Mac.
  4. Follow the instructions to choose your backup and the destination drive.

This approach will format your internal drive, clearing all data and FileVault encryption on it, and restore your data to it. When you have booted normally, you can then re-enable FileVault.

Firmware Password

A firmware password is set by the appropriate tool in the Utilities menu in Recovery Mode, and when set it will prevent you from booting to alternative boot modes, including Recovery Mode itself, unless you supply this password first. This is a very robust security option for Mac systems that can prevent a local hacker from bypassing OS X security options; however, if you have also forgotten this password then you will similarly be blocked. This will not prevent you from using your Mac, but should you need to reset your password, restore from backup, or otherwise administer your system outside of OS X then you will be out of luck.

Firmware password utility in OS X

Apple’s Firmware Password utility can be used to set and reset known passwords, but will not be able to recover a lost password.

Resetting your firmware password used to be doable by adjusting hardware configurations in your Mac, but in Mac models released after 2010 Apple changed this to have far more security, and now require you take your Mac in for servicing. When you do so, Apple’s technicians will use a tool that requires manual remote verification at Apple’s headquarters, and then entry of an unlocking code that will clear the password you set. While this may seem a bit inconvenient, it does help prevent those who may have stolen a system from taking it in and attempting to unlock it. As a result, unless you regularly use alternative boot modes, setting a firmware password is recommended. Just be sure you use one you can remember.

Service Passwords

The final set of passwords in OS X are those for services you use, which include e-mail, file sharing, online accounts, and others. In large part, OS X will store these in your keychain for automatic entry when you access these services; however, this auto-entry is application-specific so if you change programs (such as Web browsers) and cannot access your account because you haven’t had to type it in a while, then you may be needing to recover it.

In these cases, online services may have a password recovery routine, but more often than not they will simply reset your password and then require you to create a new one. This can be a headache if you access these services from multiple devices. If you can access the service on another Mac, then you should be able to get your password from that Mac’s keychain:

  1. Open Keychain Access on the working Mac.
  2. Search for your desired service by name or domain.
  3. Select the keychain entry and press Shift-Command-C to copy the password.
  4. Authenticate with the keychain’s credentials to complete the copy.
  5. Paste the password into a text document to read it.
Copy password to clipboard in OS X

Using the Keychain Access tool, you can select entries for your services and choose options to copy the password (will require you first authenticate).

For this last step, you can also paste the password directly into a password entry field of a new program.

2 thoughts on “How to manage lost passwords in OS X

  1. lloyd

    Password Pain: El Capitan requires your system password in order to reboot to a different partition / drive from Preferences. Have not found way to disable.

  2. jblack

    Do you have an opinion on the security/usefulness/potential hazards of using an iCloud based keychain rather than the login keychain?

Comments are closed.