I may have mentioned some time ago that I learned how to change Mac passwords without knowing the current password. Whether or not I did, I do know how to do it, and I do feel like sharing today. To be clear, this is a brief tutorial on how to change the password for one Mac user account on a computer to which you have physical access, in order to gain administrative privileges. This method doesn’t create a new user, it only changes the password of an existing one. As such, it does cause the password stored in that user’s keychains to fail, meaning that next time that user logs in, they’ll be prompted repeatedly for their newly changed password. I understand that this knowledge could pretty easily be used maliciously – have some self control, seriously. Knowing how to do it should be enough, you don’t need to break your school’s grading system or anything like that.
So before we start, you should know that there is a slight bit of prerequisite knowledge required. You should be comfortable with the command line interface, and knowing UNIX well is a big plus. I would just hate for you to try and follow this tutorial and then realize too late that you’re in over your head and accidentally breaking things. So, if you need it, here‘s a good tutorial on command line basics. Do it, and then do another, and then come back and break into your own Mac.
If the above paragraph doesn’t apply to you, let’s get started. In English, the general process for changing the password is to gain root access to the system, find the user account to change the password for, change the password, and reboot. If you were trying to do this remotely, the hardest part would be gaining root access, but as we have physical access to the computer, it’s completely trivial.
To get root access, boot into single-user mode by holding down Command+S (or Apple+S, if you prefer) as you start the computer. That is, from the shut-down state, turn on the computer while holding down Command+S. The normal boot sequence won’t happen – instead you’ll be dropped to a UNIX prompt as the root user.
As a preliminary note, the $ preceding commands represents the shell prompt.
It’s generally a good idea to take this opportunity to check the hard disk for errors before mounting it. I like to do it for the peace of mind. The command to check the disk is
$ /sbin/fsck -fy
This will run the same check that’s run when you click “Verify Disk” in Disk Utility. It takes a little while, and it may look like it’s frozen, but it’s really not. It just takes a while. Once it’s done, mount the filesystem with
$ /sbin/mount -uw /
The slash on the end refers to the mount point of the filesystem, meaning the root directory. Now that the filesystem is mounted, load the Apple directory services commandline utility with
$ launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
Now you can use the dscl command to perform some simple operations on the computer’s list of users. First off, you want to see the names of all of the accounts on the system. You can get a listing easily using the following command.
$ dscl . list /Users
You’ll see a listing of all of the machine’s accounts, most of which start with an underscore. Most of these are accounts required for the proper operation of the system, but you never see them. You can ignore these. The ones you’re interested will be near the bottom of the list, without underscores. Generally, if you’re on a personal computer, you’ll be able to deduce which account has administrative rights, because it will be the one named after the person who owns the computer. If this isn’t the case, though, and you see a bunch of users with similar or ambiguous names, there’s an easy way to find out if a user has admin rights. Just enter
$ groups theusernamehere | grep admin
Replace “theusernamehere” with the name of the user you want to check admin rights for. If the command returns anything, this means that the user is an admin. You’ll also see the word “admin” among the groups in the command’s output. If not, they’re not an admin. Alternately, you can delete everything in the command after the user name and manually scan each output for the word “admin”. Use a bit of trial and error to find out who the administrator of the computer is. Once you’ve done that, changing their password is trivial. The command is
$ passwd theusernamehere
Replace “theusernamehere” with the exact username of the account you want to change. You’ll be asked to type and retype the new password for the user. Don’t be surprised that nothing appears when you type the password, that’s normal. Just reboot using
and log in as the user whose password you just changed. Congratulations, the system is now at your mercy.
As an alternative to this method, it’s possible to redo the setup that ran once when the computer was first started and create a new admin account that way. To do that, after you’ve mounted the filesystem, use
$ rm /var/db/.AppleSetupDone
to delete the file that indicates the completion of the initial setup. Then, when you reboot, you’ll go through the account creation process as if it was the first time you ever started the computer.
So there you go, be responsible with how you use this information. Try the process out though, it’s an incredible feeling the first time you break into a computer, even if it’s your own.