Hmmm this article does only delete a part of a user's record, the AuthAuthority value, in fact. This article is useful if you have a user created in 10.2.x and migrated in 10.5.

Beginning with 10.3, Apple changed the way passwords are stored for more security. Before 10.3, passwords were stored in the NetInfo database, in the users entries, using the unsecure crypt hash. Starting with 10.3, passwords are using stronger hashes (SHA-1 and beginning with 10.4 a Salted-SHA1) and they are no longer stored in the users entries but in /private/var/db/shadow/hash, in a file which is named with each user's GeneratedUID (not the old unix UID, be careful). This folder is only accessible to root and the AuthAuthority attribute tells the system which kind of password you have.

So, if your user was created before 10.3 and you have migrated it, you may want to do what this KB article explains.

The dscl command portion of this hint will work in 10.4 - I just used it to remotely reset admin passwords on several machines via ARD.

Thanks!!!

---
0==

Once you mount the file system, can't you just use passwd <username> ?

Of course neither method will change the user's login keychain password.

Yep, There is no backdoor into the keychain.

passwd will change the user's password in whatever way the system has been set up. Unix systems don't all use /etc/passwd, actually most standalone systems use /etc/shadow not /etc/passwd. Most networked systems use ldap or kerberos or even opendirectory. If passwd has been tailored correctly to the mac it should change the user's password correctly. Maybe not the keychain access password though.

N.B. I haven't tried using passwd in 10.5.

I did just the following after rebooting to single user mode in 10.5 and it worked:

/sbin/mount -uw /
passwd username

You don't have to worry about the Keychain password. Once you change the user's password and can log into the computer all need to do is simply go into the Accounts preference pane and change the password there to either the new password or something different if you so choose. That action will then automatically change the Keychain Password. I've done this several hundred times on Macs from 10.0 through 10.4.11 I haven't yet had to change a password on a Leopard box but I'm sure it will work just the same.

---
Tino XIII

Unfortunately, this doesn't seem to work with 10.5. I just did this and now can't access the login keychain (OS 10.5.6). Unfortunately, I don't think there's any way around this.

Aside from Open Firmware/EFI passwords, you can configure your Mac so that the root password must be entered in order to access Single User Mode. If your root account is disabled, then it is impossible to enter the root password, and Single User Mode cannot be started.

To do this, the console and ttys must be marked as insecure in /etc/ttys:

1. Log in as administrator
2. Open Terminal
3. cd /etc
4. sudo cp ttys ttys.old (backs up previous ttys config).
5. sudo pico ttys
6. Replace all occurrences of the word "secure" with "insecure" at any lines that do not begin with a "#"
7. Exit, saving changes.

These instructions are from the Apple Mac OS X Security Configuration manual.

This procedure works except that the password for login.keychain remains lost. What will reset that? Thanks!