Resetting the login password, DaveGrohl, /etc/kcpassword, and /usr/bin/security

Resetting the login password of an account

One option is to use the Reset Password application on the recovery partition:

  1. Hold command-R on startup.
  2. Select Terminal from the Utilities menu.
  3. Run resetpassword, which opens the Reset Password application.
  4. Select a volume and an account and reset the password.

A second option is to use dscl in single user mode:

  1. Hold command-S on startup.
  2. Run mount -uw /.
  3. Run launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist in 10.7 and later, or run launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist in 10.6 and earlier.
  4. Run dscl . passwd /Users/username newpassword, where username is the name of the account and newpassword is the new password.
  5. Run reboot.

A third option is to create a new admin account:

  1. Hold command-S on startup.
  2. Run mount -uw /.
  3. Run rm /var/db/.AppleSetupDone.
  4. Run reboot.
  5. Go through the steps of creating a new account.
  6. Reset the password of the old account from the Users & Groups preference pane.

None of these options resets the password of the login keychain.

When FileVault 2 is enabled, a password is needed to start up in single user mode, and the list of accounts in the Reset Password application is empty, so if you do not know the password of an account that is allowed to unlock FileVault 2, you cannot use any of these methods. To make sure that people who have physical access to your computer cannot reset your password, enable FileVault 2.

DaveGrohl

DaveGrohl is a command line utility for cracking OS X login passwords. The hash of the login password is stored in /var/db/dslocal/nodes/Default/users/username.plist in 10.7 and later. In 10.7 it was easy to crack even relatively complex passwords, but 10.8 started using PBKDF2, which limits tools like DaveGrohl to about 10 guesses per second per core.

When I tried using DaveGrohl to crack a random three character password in 10.8, it took about 15 minutes:

$ sudo dave -u $USER
-- Loaded PBKDF2 (Salted SHA512) hash...
-- Starting attack

-- Found password : 'y8d'
-- (incremental attack)

Finished in 879.274 seconds / 31,385 guesses...
35 guesses per second.

You can see the hash data by running sudo dave -s $USER or by running this command:

sudo defaults read /var/db/dslocal/nodes/Default/users/$USER.plist ShadowHashData|tr -dc 0-9a-f|xxd -r -p|plutil -convert xml1 - -o -

/etc/kcpassword

When automatic login is enabled, the password of the login keychain is stored in /etc/kcpassword encrypted with XOR cipher. The encryption key has not changed between 10.4 and 10.10.

This command prints the password:

sudo ruby -e'key=[125,137,82,35,210,188,221,234,163,185,31];IO.read("/etc/kcpassword").bytes.each_with_index{|b,i|break if key.include?(b);print [b^key[i%key.size]].pack("U*")}'

Using the security command line tool to see passwords from a keychain

When the login keychain is not locked, like it usually is not, someone who uses your account can see passwords in the login keychain without having to enter any password.

This shows all passwords:

security dump-keychain -d ~/Library/Keychains/login.keychain

This searches for the passwords of Google accounts:

security find-internet-password -s accounts.google.com -w