10.5: Reset a user's password in single user mode

We needed to reset the password on a Leopard system, but we didn't have the OS X install DVD available. After a few minutes of playing around, I came up with this solution:

Boot into single user mode (press Command-S at power on)
Type fsck -fy
Type mount -uw /
Type launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
Type dscl . -passwd /Users/username password, replacing username with the targeted user and password with the desired password.
Reboot

This allows you to reset the password in single user mode without booting from the install media.

[robg adds: For everyone about to comment about this massive security hole, please don't do so. We ran a similar hint at the time of the OS X 10.0 release, and you can read the comments there for some of the give and take on the security issue. The bottom line is that someone with physical access has full access to your machine, regardless of whether or not they happened to bring a boot DVD with them. If you're truly worried about such things, then you'll want to use a combination of File Vault, a firmware password, and a case lock to minimize the chances that your machine is accessed.]

From our Sponsor...

The macosxhints Poll

iPad_poll_#1

10.5: Reset a user's password in single user mode | 11 comments | Create New Account

Click here to return to the '10.5: Reset a user's password in single user mode' hint

The following comments are owned by whomever posted them. This site is not responsible for what they say.

10.5: Reset a user's password in single user mode
Authored by: johnsawyercjs on Wed, Apr 23 2008 at 1:38PM PDT

This looks like a shorter method than the similar one that Apple describes at

http://docs.info.apple.com/article.html?artnum=306840

..which has you first delete, then change, the old password.

10.5: Reset a user's password in single user mode
Authored by: lolopb on Mon, Apr 28 2008 at 6:50PM PDT

Hmmm this article does only delete a part of a user's record, the AuthAuthority value, in fact. This article is useful if you have a user created in 10.2.x and migrated in 10.5.

Beginning with 10.3, Apple changed the way passwords are stored for more security. Before 10.3, passwords were stored in the NetInfo database, in the users entries, using the unsecure crypt hash. Starting with 10.3, passwords are using stronger hashes (SHA-1 and beginning with 10.4 a Salted-SHA1) and they are no longer stored in the users entries but in /private/var/db/shadow/hash, in a file which is named with each user's GeneratedUID (not the old unix UID, be careful). This folder is only accessible to root and the AuthAuthority attribute tells the system which kind of password you have.

So, if your user was created before 10.3 and you have migrated it, you may want to do what this KB article explains.

10.5: Reset a user's password in single user mode
Authored by: alittleknowledge on Wed, Apr 23 2008 at 1:49PM PDT

The dscl command portion of this hint will work in 10.4 - I just used it to remotely reset admin passwords on several machines via ARD.

Thanks!!!

---
0==

10.5: Reset a user's password in single user mode
Authored by: allanmarcus on Wed, Apr 23 2008 at 4:14PM PDT

Once you mount the file system, can't you just use passwd <username> ?

Of course neither method will change the user's login keychain password.

10.5: Reset a user's password in single user mode
Authored by: timhaigh on Thu, Apr 24 2008 at 2:40AM PDT

Yep, There is no backdoor into the keychain.

10.5: Reset a user's password in single user mode
Authored by: pbn on Thu, Apr 24 2008 at 3:59AM PDT

Hi there, I don't think passwd would change the password. The passwd command will change the password in /etc/passwd. But Mac OS X doesn't rely on /etc/passwd for passwords, it relies on Directory Service and you have to use the dscl commande to change things in Directory Service.

10.5: Reset a user's password in single user mode
Authored by: kholburn on Sat, Apr 26 2008 at 9:35AM PDT

passwd will change the user's password in whatever way the system has been set up. Unix systems don't all use /etc/passwd, actually most standalone systems use /etc/shadow not /etc/passwd. Most networked systems use ldap or kerberos or even opendirectory. If passwd has been tailored correctly to the mac it should change the user's password correctly. Maybe not the keychain access password though.

N.B. I haven't tried using passwd in 10.5.

Confirmed: passwd works in 10.5
Authored by: ilikeimac on Wed, Jun 17 2009 at 7:44PM PDT

I did just the following after rebooting to single user mode in 10.5 and it worked:

/sbin/mount -uw /
passwd username

After the next reboot my machine didn't automatically login, even though it is configured to do so, and it prompted me for the keychain password in order join my wireless network, but it did honor the new password and it sounds like you can subsequently reset the password in System Preferences to change the keychain password.

10.5: Reset a user's password in single user mode
Authored by: bolah1313 on Fri, Apr 25 2008 at 7:51AM PDT

You don't have to worry about the Keychain password. Once you change the user's password and can log into the computer all need to do is simply go into the Accounts preference pane and change the password there to either the new password or something different if you so choose. That action will then automatically change the Keychain Password. I've done this several hundred times on Macs from 10.0 through 10.4.11 I haven't yet had to change a password on a Leopard box but I'm sure it will work just the same.

---
Tino XIII

You can lock down Single User mode quite easily
Authored by: rodneyweston on Thu, Apr 24 2008 at 5:47AM PDT

Aside from Open Firmware/EFI passwords, you can configure your Mac so that the root password must be entered in order to access Single User Mode. If your root account is disabled, then it is impossible to enter the root password, and Single User Mode cannot be started.

To do this, the console and ttys must be marked as insecure in /etc/ttys:

1. Log in as administrator
2. Open Terminal
3. cd /etc
4. sudo cp ttys ttys.old (backs up previous ttys config).
5. sudo pico ttys
6. Replace all occurrences of the word "secure" with "insecure" at any lines that do not begin with a "#"
7. Exit, saving changes.

These instructions are from the Apple Mac OS X Security Configuration manual.

You can lock down Single User mode quite easily
Authored by: nussbash on Sun, Jan 3 2010 at 7:04PM PST

This procedure works except that the password for login.keychain remains lost. What will reset that? Thanks!

Hint Options

Search

From our Sponsor...

User Functions

What's New:

Hints

Comments last 2 days

Links last 2 weeks

What's New in the Forums?

The Editor's Corner...

Hints by Topic

News from Macworld

The macosxhints Poll