Where are Mac user account passwords stored?
Solution 1
The hashes were in /var/db/shadow/hash/ in 10.6 and earlier, but they are stored in /var/db/dslocal/nodes/Default/users/username.plist in 10.7 and 10.8.
You can print the hash data with DaveGrohl (sudo dave -s $USER) or something like this:
sudo defaults read /var/db/dslocal/nodes/Default/users/$USER.plist ShadowHashData | tr -dc '0-9a-f ' | xxd -p -r | plutil -convert xml1 - -o -
If automatic login is enabled, the password of the login keychain is also stored in /etc/kcpassword encrypted with XOR cipher.
sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'
Solution 2
I don't know that much about it, but from what I could gather using opensnoop:
login accesses the local directory service (possibly related to some Kerberos stuff -- maybe that's the underlying implementation for the local directory, it reads /Library/Preferences/edu.mit.Kerberos, /etc/krb5.conf, /usr/etc/krb5.conf etc.).
dscl, the directory service command line utility, then cd Local/Default/Users/yourusername, read reveals the usual unixy account-related stuff, plus: GeneratedUID: 1A5EF9B7-4DB6-4C01-919A-xxxxx (don't know the implications, so I censored a little) -- you can also read this UUID via Accounts.prefPane in System Preferences.app.
That matches a filename in /private/var/db/shadow/hash/ also accessed by login!
I guess your best bet is to rename/copy the files with the GeneratedUID name, or change the reference in the directory service.
Included all my "research" to allow you to retrace my steps and allow for refutability.
I don't have the time to trash and restore my user accounts, so you're on your own now. Good luck.
TLDR: Open Accounts.prefPane, check your UUID (right-click your user in the list) and look for a file by that name in /private/var/db/shadow/hash/. Don't know if it works at all. Good luck.
Related videos on Youtube
02 : 08
08 : 04
04 : 16
05 : 08
02 : 16
user51799
Updated on September 17, 2022Comments
-
user51799 over 1 year
How can I access the encrypted value of a local user account password in osx? Would it be possible to check against it or even copy it to another account?
-
HikeMike over 13 years
-
HikeMike over 13 yearsI love googling for obscure system directories to find out what they're for :-)
-
c-o-d about 10 yearsBrillant, how do you learn such an intimate knowledge of OS X?
-
Kayvan Sylvan over 8 yearsThis is not quite right. The "break" should only happen when (b == key[i% key.size]), but I found your code enlightening. Thanks!
