Menu
FileVault is OS X's built-in data encryption technology, and when enabled, as with an unencrypted OS X volume you simply enter your account credentials to get into your system. However, given Apple supplies password resetting utilities that can change an administrative password even without being logged in, you might be concerned this will allow a bad guy to simply reset your password, bypass FileVault, and get to your encrypted files.
MacFixIt reader Fred recently wrote in with such a concern:
Choose System Preferences from the Apple menu, then click Users & Groups. Click, then enter the admin name and password again. Select your user name from the list of users. Click the Reset Password button, then follow the onscreen instructions to create a new password: Choose Log Out from the Apple menu. If the password you’re having trouble remembering is a general Mac login or administrator password, you can reset it with these instructions instead. Using the the Apple ID approach on boot is typically the easiest for modern Macs. 1: Try to Reset or Disable with Firmware Password Utility. There you have to select the volume that contains the user account which is by default: Macintosh HD. Enter a new password, and click on save. Important Note: Keep the Terminal open while doing all this process. Restart your Mac computer, and when it asks the password, enter the password you have just set in step 4, and you will be able. Then I reinstalled my apps and ended up with three volumes (included space used for comparison) Mac HD uses 10.56GB. Mac HD - Data uses 515.08GB. Mac HD - Data uses 774 KB. I went ahead and removed the third (774KB) volume in Disk Utility. It hasn't come back yet, and so far I haven't noticed any odd behavior.
If I have FileVault enabled on my Mac, what prevents someone from restarting with Command-R held down, and then use the 'resetpassword' command to change the password and log into the system?
Without FileVault enabled this is definitely the case, but if you have FileVault enabled these password reset routines will not work.
The password reset features Apple provides are for the account password in the operating system, and not for the FileVault password or encryption keys. The way OS X sets up these passwords to appear the same may seem a bit convoluted, but these passwords are in fact different and are treated differently by the system.
When you enable FileVault, the system will initially mirror your account password to the FileVault volume's EFI login prompt. This prompt, which is stored on a separate hidden partition, looks like the standard OS X login window (with some nuance differences), but is a different process altogether. You can see this primarily in the timing of when the system boots--without FileVault the system will load a few background processes and take a second or two to display the login window, but with FileVault enabled the system will almost immediately show the login window.
This is because the FileVault login window is the EFI login process, and not the standard OS X login window. When the EFI login window appears, you are looking at a system that does not have OS X running in any way -- the system software and all contents of the disk are still locked away and encrypted.
At this point, the EFI login password is accepted to unlock the volume, and then OS X is allowed to boot and load system processes and user accounts, etc.
The seamless aspect that Apple has built here is to mirror the OS X login window's look and feel, and then copy your account password to use for unlocking the disk. When you provide your login credentials at the EFI login prompt, these credentials first unlock the volume, and then are passed to OS X when it loads, allowing the system to immediately log into your account.
If you change your account password in the Users & Groups system preferences in OS X, then the FileVault EFI login password will be updated accordingly; however, if you use alternative approaches like booting to the OS X Recovery partition to reset passwords, then there will be several blocks.
What Is The Password For Macintosh Hd On Windows 10
First and foremost, you will be required to unlock an encrypted boot volume for these password resetting routines to work, which in itself requires knowledge of the encrypted drive's password. Without this, these routines will not be able to access the OS X directory to change an account password.
Second, even if the encrypted drive is unlocked, the use of non-standard password changing routines in OS X (such as the 'passwd' command in the Terminal, and the 'resetpassword' tool in the Recovery volume) will not properly update the EFI login password, meaning that even though your account password has changed, the system will still require the old password to first unlock the volume at boot.
If your account password is changed in this manner to be separate from the EFI login, then you will see the system first request the EFI password, then display the login window again (this time the true OS X login window) so you can supply the changed account password. This split happens because the old password required at the EFI login prompt will not be valid when the system passes it to the OS X login window, so automatic login will fail and you will be required to enter your new login password to get into your account.
It may help to consider various scenarios of what might happen if you try to use password resetting tools and routines on a FileVault-protected volume:
- Scenario 1: FileVault is enabled, and you boot to the OS X Recovery HD partition and try to use the 'resetpassword' utility.
In this case you will not see your boot drive listed as valid source for a system account in which to change the password. You will first have to open Disk Utility and unlock the volume, and even then the resetpassword utility will only change the OS X account password, and not the FileVault password. - Scenario 2: You start up your Mac in Target Disk mode and try using another Mac to access the drive and change the password.
In this case, as with scenario 1, you will first need to provide the FileVault password before any data on the disk can be accessed by password reset routines. - Scenario 3. You try booting to Single User mode to bypass the login prompt, and then use terminal-based commands to change passwords.
In this case, the attempt will fail since FileVault's locked volume disables the ability to boot to alternative modes such as Single User mode. The volume must first be unlocked before any boot process can take place, be it normal mode, single user mode, safe mode, or any other. Additionally, since these modes require passage of hardware variables (ie, a key combination) to the OS X kernel, this can only be done at a specific point in the boot process (at the boot chimes) and FileVault's unlock requirement breaks this ability.
Overall, the password reset routines Apple provides with OS X are for account passwords only, and not for FileVault. For simplicity, Apple mirrors your account password with FileVault, and sets up an EFI login routine that looks like, but is separate than, the OS X login prompt. If you try to use secondary password reset routines, you will still first have to unlock the FileVault volume so its contents can be accessed. Without this, these password reset routines will be useless. The only way to change a FileVault password when you change your account password is by using the Users & Groups system preferences, and even though there are methods for managing the FileVault password separately, in all cases, in order for the FileVault password to be changed, the disk must first be unlocked.
Forgot Password For Macintosh Hd
Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.
Be sure to check us out on Twitter and the CNET Mac forums.