How-To Guide: Changing and Resetting Mac Passwords
When was the last time you or someone in your organization needed their Mac password to be something different than what it previously was? There are two ways to do that: change or reset. But although those two words might seem similar, their difference is significant.
The golden path is to change the password instead of resetting it, if at all possible. The user goes to System Settings, then Users & Groups, where they select their username, click the Information (i) icon, then select Change Password. They enter their existing password, then the new one (twice), add the optional password hint, then click Change Password. (In older versions of macOS, users could use either the Users & Groups or Security & Privacy preference pane.)
If they follow that path to change their password, macOS will automatically update the password for their login keychain too. The user will still have the same access to that keychain as before; all their stored passwords (and anything else they stashed in there) will still be accessible.
The alternative is to reset their password. This is the path that comes up frequently when users forget or lose their passwords. If they don’t know their old one, they can’t change it with the workflow above. Instead, they have to reset it—and that can have some serious consequences.
So as a Mac admin, you need to clearly understand the differences between these two workflows and the ramifications of each.
How to Reset a Mac Password
Let’s say a user calls your helpline and says, I forgot my password. What do you do? You need to coach them through one of the several alternative paths to resetting it. (For simplicity's sake, assume there's no other administrator account on the Mac that you could use to reset another user’s password.)
The first step on all of these paths is getting to the login window—the one that appears after they turn on, restart, or log out of their Mac, not the one they see when waking their Mac from sleep or stopping the screen saver.
There, they should see the Shut Down, Restart, and Sleep buttons. If they don’t see those, they can restart the Mac; those three options should appear when it finishes doing so. (Note that it’s possible that a configuration profile has hidden those buttons.) If they see one for Switch User, they can click that to switch to the login window.
Once the user is at the login window, they can enter any password up to three times until they see the available password-reset options. Depending on how they set up their user account (among other variables), those options may include signing in with an Apple ID or with a FileVault recovery key.
Reset Mac Password with Apple ID
Depending on the circumstances, there are several ways to reset the login password using a personal Apple ID. If such an ID is associated with one of the user accounts on a Mac—if, say, the user provided their personal Apple ID the first time they logged in to their Mac—the user may be prompted to supply it either immediately or after a restart. If there’s more than one user account on the Mac, they may be asked to select the one they want to reset.
If the user is asked to create a new keychain to store the user's passwords, the only option is to click OK.
If they’re asked to select an admin user, they should click Forgot all passwords. If they see multiple user accounts, they’ll have to click Set Password for each one, then enter new passwords for each. If they are offered the option to deactivate their Mac, they should click that; reassure them that it’s only temporary.
They can then enter their new password. Once they’ve done so, they can click Restart.
Reset Mac Password with FileVault Recovery Key
When users enable FileVault on an unmanaged Mac, they’re given the option of either creating a recovery key or allowing their iCloud account (Apple ID) to unlock their disk. That key, a long alphanumeric string, can also be used to reset the login password. But that requires either that the user themselves recorded the recovery key somewhere or escrowed it to iCloud.
On the consumer side, a user may escrow their FileVault recovery key to their own personal iCloud account. Importantly, when a user is setting up their Mac for the first time, Setup Assistant asks for their personal iCloud account before asking them to set up their local Mac account; if they’ve signed in to iCloud, macOS won’t let them use the same password for their local Mac account as their iCloud account password. So as long as they can remember their iCloud account’s password, and have escrowed their FileVault recovery key to iCloud, they can recover their recovery key that way.
But that’s on the consumer side. For a Mac that’s enrolled with a mobile device management (MDM) solution that supports escrowing the FileVault recovery key, that solution likely automatically stores the recovery key and provides a way for the MDM administrator to retrieve it. For example, with Kandji, in the FileVault Library Item in a Blueprint, you can select the checkbox for the option Escrow Recovery Keys to Kandji.
(You may be wondering, what happens if the user turned on FileVault before enrolling their Mac in Kandji? In that scenario, the Kandji menu item automatically guides the user through the process of entering their password again; macOS automatically regenerates a new FileVault recovery key, and Kandji automatically escrows that new key.)
Supplying the FileVault recovery key allows the user to change the password without supplying the old one. That new password can unlock FileVault and so make the disk accessible. But it won’t unlock that user’s old login keychain. Instead, macOS automatically saves the old login keychain with a new name (in case the user remembers or finds the old password and wants to retrieve items from the old keychain). Then macOS creates a brand new login keychain with the new password. We’ll have more on that in a minute.
Reset Mac Password through macOS Recovery
If neither of the paths above works for your user, there’s a more extreme path to reset their password: through macOS Recovery. That process is described in detail here.
If none of these paths work for your user, they may need to start completely from scratch, by erasing the Mac. That process, too, is described in detail here.
Resetting a Mac Password: The Consequences
The biggest problem with resetting a user’s password is that doing so will cut off access to that user’s login keychain. That means all the passwords and other confidential information stored there is gone.
In the past, when this happened, macOS would throw up a dialog saying essentially, "Your login keychain password doesn't match your login password. What do you want me to do about it?” Users then had the option of preserving the old keychain or changing the keychain password to match the new one. But, of course, this wouldn’t usually be much help, because users had forgotten the old password; the old keychain, therefore, wasn’t of much use to anyone.
Now macOS just goes ahead and sets the old keychain aside, creating a brand new one with the new password. Anything saved in the old keychain is stored in a renamed keychain.
As an admin, one preemptive response you can take is to encourage the use of a third-party password manager, so all those stored passwords will be kept up in the cloud, rather than on a Mac behind a local password.
Resetting a Mac Password: Complications
There are a few wrinkles worth knowing about when it comes to resetting a Mac password.
Of course, on Apple devices, the keychain isn’t just local. There’s also the iCloud keychain. When enabled, it syncs a user’s keychain items across their devices. If it’s been enabled, after resetting their password, users need to authenticate with their iCloud credentials.
This would seem to make iCloud keychain a good solution to the “I lost my password” problem—except that it requires connections to personal iCloud accounts from work devices. That’s something many IT departments are reluctant to support. Again, third-party password management is a much better solution. Keep in mind that some apps default to trying to save passwords to a user’s keychain instead of a third-party password management app.
Normally, a user’s login password is the same as their FileVault password. And normally, if you follow one of the workflows above to reset a password, it’ll stay that way. But we need to acknowledge that there are also scripting-based workflows that can lead to the situation where the user’s local Mac password won’t unlock FileVault; macOS has been getting better at preventing that situation.
That being said, if you do need to help someone reset their password, follow one of the workflows above. If you find another workflow somewhere that seems to do the same thing, be sure to thoroughly test it before using it in production.
Working with IdPs
If you store user IDs and passwords with an identity provider (IdP) such as Okta or Google Workspace, you might also use a system (such as Kandji Passport) to help users keep their local Mac password in sync with one stored with the IdP.
If a user’s IdP password changes, that new IdP password won’t unlock FileVault after a restart. The user will need to log in with their old Mac password. Then a solution like Passport will help users change their local Mac account password to match their IdP password. If the user can’t remember their local Mac account password, we’re back to a workflow of asking a user to reset their local Mac account password.
What if a user can’t remember their local Mac account password and FileVault is turned on, and you’re using a solution like Passport to make sure the local Mac password is synced with the IdP account password? Then we’re back to using the FileVault recovery key to reset a password. At that point, you might as well have the user reset their local Mac password to match whatever their new IdP account password is.
The gist of all this: If at all possible, changing a local Mac password is better than resetting it. But if you don’t have the old password, you don’t have much choice. And one last tip: If you really want to dive deeply into this topic, check out Apple's own tutorial on the subject.
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.
Start your free trial today
The industry's first MDM with a pre-built library of security controls.Start Free Trial