Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How *not* to change account passwords in 10.3 System
I've been running FileVault with OS X 10.3 for a long time, and have been generally very impressed with its robustness-- even when I had some bad blocks on my drive. Recently I thought I should lengthen, and so strengthen, my account login password. So I went to the Accounts pane in System Preferences, inserted the cursor to the right of the seven bullets that represented my current password, added 10 more characters, repeated the operation in the Confirm Password field below, and my new password was accepted.

As you may know, those seven bullets show up in the Password field in this version of OS X -- no matter what the length of your password, or, indeed, even if that account doesn't even have a password. In fact, my original password, represented by those seven bullets, was actually nine characters. In any case, what happened next was that I could not log into my account with my now-changed password, and, hence, could not unlock the FileVault sparseimage containing my home directory.

I tried everything I could think of -- eg, the first seven characters of my old password plus the 10 characters I'd just added, just the old password, just the new 10-character addition, etc. (I was still able to access my computer through another account; just not my main account's home directory.)

I considered that maybe I'd forgotten what I'd added, but then I created a dummy account with a new password, and tried the same trick of adding characters after the bullets in the password field in the accounts pane. The new password was accepted. And the problem replicated itself -- I could then no longer log in, with either the new or old passwords, or any combination of the two that I could think of.

So if you're on 10.3, do not change your password by merely appending text to the bullets in the Accounts System Preferences panel -- you'll effectively lock out the account! (This isn't an issue in 10.4, as the bullets no longer show and you must type the existing password in full.)
    •    
  • Currently 1.40 / 5
  You rated: 1 / 5 (5 votes cast)
 
[10,501 views]  

How *not* to change account passwords in 10.3 | 28 comments | Create New Account
Click here to return to the 'How *not* to change account passwords in 10.3' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How *not* to change account passwords in 10.3
Authored by: lewsmind on Aug 24, '06 07:52:24AM

Thanks for the tip, and I hope you didn't lose anything too important.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: zimmerleut on Aug 24, '06 07:52:56AM

you haven't mentioned it, so did you try seven bullets + additional password as the password?



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: thinkyhead on Aug 30, '06 08:37:08PM

I second this suggestion. If the original characters in the field were 7 bullets, maybe the system takes them literally. You may be able to compare this behavior with some program that stores passwords in the keychain - probably not Safari, but maybe an FTP/SFTP client.

---
|
| slur was here
|



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: codingismy11to7 on Aug 24, '06 08:11:11AM
you can probably fix your account by logging in as or sudoing to root and running
passwd <brokenaccount>


[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: snit on Aug 24, '06 10:06:11AM

You can also use the install disk to change passwords... so not all is lost.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: inertia186 on Aug 24, '06 10:10:22AM

Hold on. If it's that simple, then what's the point of FileVaultâ„¢?



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: dabeatles on Aug 25, '06 05:47:08AM
with file vault on, you can still reset the password using those methods, but it won't change the password on your encrypted home directory, because it needs the old one first

[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: Nem on Aug 24, '06 10:13:04AM
Nope, using password or the install disk won't help. He's running Filevault, so its not just his login password, but also the key to encrypting the home directory.

---
Nem W. Schlecht
http://geekmuse.net/

[ Reply to This | # ]

How *not* to change account passwords in 10.3
Authored by: Nem on Aug 24, '06 10:26:26AM

Hmm.. I've been thinking about this some more. This was a bad idea on your (and Apple's part). No UNIX system stores your password as plaintext for recall, not even OS X. Everything is encrypted using that password. If it decrypts something correctly, then it is the correct password, otherwise, it isn't the right password and you can't log in/etc.

I'm guessing the bullets were just placeholders of some sort and that your password is now some thing like '7 wacky characters that you can't type' followed by what you added.

I'm running 10.4, so I can't reproduce this (the password dialog no longer has placeholder bullets). However, go into your new account, go the System Prefs, Accounts page and just select the bullets in the change password field. Copy the text (Cmd-C) and then open a Terminal window and do a paste (Cmd-V) and see what it spits out. I'm guessing you'll see 7 boxes, which means they are characters that Terminal doesn't know how to display.

I'd call Apple if I were you, and see if they can straighten out this mess. It's possible to reset the password on your account and get Filevault updated, but I'm guessing you'll need Administrative privs and still have to use the GUI, but they'll have a better idea of what's actually going on here and how to fix it.

---
Nem W. Schlecht
http://geekmuse.net/



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: joab on Aug 24, '06 11:09:24AM

I thought this was the reason you have a "Master" password for all FileVaults? As long as you still have that you're safe, right?



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: squirri on Aug 24, '06 11:13:24AM

I was just going to say the same thing - the Master password should unlock the directory(of course, you *did* set one didn't you?)

If this does not work, then we need to know

I for one am not inclined to experiment with this...



[ Reply to This | # ]
recovering a filevault
Authored by: cuberoot on Aug 24, '06 11:24:29AM

I'm not sure if you need this advice, but probably the only way to recover your filevault is to use the system's filevault master password. You did set one, right?

cheers,
Christopher



[ Reply to This | # ]
recovering a filevault
Authored by: cuberoot on Aug 24, '06 11:25:56AM

Eek.. I started typing this before the last comment was up but finished it after. Sorry for the dup.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: poenn on Aug 24, '06 11:35:09AM

I'd try to upgrade to 10.4. It may seem unlikely, but maybe that solves your problem. Setting a master password and remembering it could help, too... :-)



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: tyip on Aug 24, '06 12:55:01PM

Did you try:

Go back to System Preferences > Accounts page.
In the seven bullets in the Password field, type in the text you had appended to make the new password. You now have 17 bullets in that field. Copy all 17 bullets and then paste it into the password field and see if that works.

The main log in panel does not allow pasting into the password field but my sparseimage in 10.3.9 does.

Good luck and let us know what works.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: zpjet on Aug 25, '06 09:17:51AM

i doubt you can copy / paste passwords.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: bombcar on Aug 24, '06 08:00:44PM

Did you try cutting 7 bullets into the password field, and then typing the 10 new characters afterwards? I.e., reproducing exactly what you did in the first place?



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: davidhelgason on Aug 24, '06 11:57:22PM

... or if that won't work, try some other "filler" characters. Spaces? Dots? Actually someone somewhere deep down inside Apple would be able to shed light on this. If the data in there is really important etc., try to escalate this and eventually you might get in touch with someone in the know.

d.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: johnsawyercjs on Aug 24, '06 11:10:12PM

The person posting this hint says his original password was nine characters, and he knows that the password field will simply show seven bullet characters no matter how long the password is, but he didn't explicitly say that he also tried entering his full, nine-character password, followed by the ten new characters he added, so I tried that with a test account, and it didn't work either.

For the people wondering whether entering bullet characters in place of a password's actual characters would work: of course it won't--if it did, nobody's password would be worth a damn.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: bas.den.hond on Aug 25, '06 01:49:33AM

I would try this:

Create a new account. Give it the shortest password possible: one letter, say 'a'.
Make the mistake again by adding just one letter again, say 'b'.
(if seven bullets are showing, delete the last six).
You now have a two-letter password for the account, one of which you know. So a brute-force attack will take 256 tries at worst.
Once you know what's behind the bullet, you're hoping all bullets are the same, of course...

Good luck!



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: itistoday on Aug 25, '06 09:56:42PM

This is a good idea. I would try it and see how far you can get, however, make sure to try all characters (including spaces, ~'s, ''s, :'s, etc) and most importantly, call Apple and try their support forums. I think this is clearly Apple's fault, they should have known better than to make such a confusing interface for something so important.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: jmao on Aug 25, '06 04:51:57AM

If the act of changing your password from the Accounts pref pane in System prefs also then alters the filevault password, then why don't you just change your password again?

Create another user that has admin rights. Then use that account in terminal and use dscl to change the account password of the first account.

sudo dscl . -passwd /Users/username newpassword

Once reset this way, you would be able to return to the other account and reset the account password from the GUI.

Would this work? From the sounds of what you've been doing, your machine auto-logins to your main account, right? So, you are able to enter this account to create another? If not, then reset the password using a System CD or from Single-user mode,...either way, this might help.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: jmao on Aug 25, '06 04:53:22AM

In addition, I believe with VoiceOver enabled, you can enter the text field with the 7 bullets, and select the text. VoiceOver will attempt to read it to you,...



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: Nem on Aug 25, '06 10:27:51PM
Sorry, but that wouldn't work.

As an administrator, when you change a user's password, it just overwrites whatever is stored in netinfo (on other UNIX boxes, it overwrites whatever is in /etc/shadow for a particular user).

In order to "fix" the FileVault, you must have the password/key it was encrypted with.

This actually begs another question. If you change your password, does OS X re-encrypt your entire FileVault (home directory) with the new password? I'm guessing not, actually. I'm guessing that the key used to encrypt the FileVault is more complex than what can be represented by your password. That means that the actual encryption key is stored somewhere else on the system and perhaps that is encrypted with your login password. This makes a lot more sense, since it would be a time (and disk) consuming exercise to re-encrypt your FileVault everytime you change your password.

This is actually quite interesting - I'm gonna have to go do some research on this. ;-)

---
Nem W. Schlecht
http://geekmuse.net/

[ Reply to This | # ]

How *not* to change account passwords in 10.3
Authored by: Jason_ff on Aug 25, '06 12:47:27PM

well, this would be as good a reason as any to attempt some sort of bruteforce or cracking attempt to decrypt FileVault...and we'll see how strong it really is....



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: tyip on Aug 25, '06 01:20:35PM

You're half right. You cannot copy what's in the password field but you can paste into it (at least in system preferences accounts and in password protected disk images). But you cannot paste the password in the log in dialog box. So it's not very consistent.



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: david-bo on Aug 28, '06 01:51:32PM

Open the NIB-file in Interface Builder and change the properties of the password field from bulleted to regular text and see what the placeholder actually consists of. I have done this in Mail and got the password in clear after this change.

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



[ Reply to This | # ]
How *not* to change account passwords in 10.3
Authored by: robg on Nov 25, '06 09:19:01AM
I received this via email:
...the seven bullets displayed in the Accounts pref pane in "Panther" are actually hiding the characters "1234567," so if the password was changed by appending characters to the bullets, the new password is likely "1234567newcharacters". Hopefully this information will help them to regain access to their filevault account.
Probably way too late, but maybe it will help.

-rob.

[ Reply to This | # ]