Resetting the login password, DaveGrohl, /etc/kcpassword, and /usr/bin/security

Resetting the login password of an account

One option is to use the Reset Password application on the recovery partition:

  1. Hold command-R on startup.
  2. Select Terminal from the Utilities menu.
  3. Run resetpassword, which opens the Reset Password application.
  4. Select a volume and an account and reset the password.

A second option is to use dscl in single user mode:

  1. Hold command-S on startup.
  2. Run mount -uw /.
  3. Run launchctl load /System/Library/LaunchDaemons/ in 10.7 and later, or run launchctl load /System/Library/LaunchDaemons/ in 10.6 and earlier.
  4. Run dscl . passwd /Users/username newpassword, where username is the name of the account and newpassword is the new password.
  5. Run reboot.

A third option is to create a new admin account:

  1. Hold command-S on startup.
  2. Run mount -uw /.
  3. Run rm /var/db/.AppleSetupDone.
  4. Run reboot.
  5. Go through the steps of creating a new account.
  6. Reset the password of the old account from the Users & Groups preference pane.

None of these options resets the password of the login keychain.

When FileVault 2 is enabled, you need to enter a password in order to access single user mode, and the list of accounts in the Reset Password application is empty, so if you do not know the password of an account that is allowed to unlock FileVault 2, you cannot use any of these methods. To make sure that people who have physical access to your computer cannot reset your password, enable FileVault 2.


DaveGrohl is a command line utility for cracking OS X login passwords. The hash of the login password is stored in /var/db/dslocal/nodes/Default/users/username.plist in 10.7 and later. In 10.7 even relatively complex passwords could be cracked in a short period of time, but 10.8 started using PBKDF2 (Password-Based Key Derivation Function 2), which limits tools like DaveGrohl to about 10 guesses per second per core.

When I tried using DaveGrohl to crack a random three character password in 10.8, it took about 15 minutes:

$ sudo dave -u $USER
-- Loaded PBKDF2 (Salted SHA512) hash...
-- Starting attack

-- Found password : 'y8d'
-- (incremental attack)

Finished in 879.274 seconds / 31,385 guesses...
35 guesses per second.

You can see the hash data by running sudo dave -s $USER or by running this command:

sudo defaults read /var/db/dslocal/nodes/Default/users/$USER.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -


When automatic login is enabled, the password of the login keychain is stored in /etc/kcpassword encrypted with XOR cipher. The encryption key has not changed between 10.4 and 10.10.

This command prints the password:

sudo ruby -e'key=[125,137,82,35,210,188,221,234,163,185,31];"/etc/kcpassword").bytes.each_with_index{|b,i|break if key.include?(b);print [b^key[i%key.size]].pack("U*")}'

Using the security command line tool to see passwords from a keychain

When the login keychain is not locked, like it usually is not, someone who uses your account can see passwords in the login keychain without having to enter any password. (Keychain Access and the tab for passwords in Safari's preferences require you to enter the password of the login keychain in order to show a password.)

This shows all passwords:

security dump-keychain -d ~/Library/Keychains/login.keychain

This searches for the passwords of Google accounts:

security find-internet-password -s -w