We recently went through a few ways to break into a Windows PC without the password, and it turns out it's just as easy to break into a Mac too. Here's how to do it and keep yourself protected.
Just like on Windows, there are quite a few ways to break into a Mac, but many of them are variations on the same thing, so we're going to highlight the two easiest ways—one with a Mac OS X installer CD and one without—and show you how to keep yourself protected. Note that while these two methods will get you into the OS without knowing the password, you can always just use our previously mentioned "lazy method" with a Mac too—just boot up the computer with a Linux Live CD and start grabbing files.
How to Reset the Mac OS X Password
Both of the methods outlined below are ways to reset the Mac OS X password. While there are cracking utilities like John the Ripper or THC-Hydra, they're either complicated to use or expensive to buy, so we won't go into them here like we did with Windows (which has the very easy-to-use Ophcrack). Both of these methods assume the target computer is running Snow Leopard.
Method One: Use the Mac OS X Installer CD
If you have the Mac OS X installer CD handy, it's super easy to change the administrator account's password. Just insert the CD into the target Mac and hold the "c" key as you boot up the computer. It will boot into the Mac OS X installer. Once it does, head up to Utilities in the menu bar and choose Password Reset. You'll get a window prompting you to select the drive on which OS X is installed; so choose the drive you want to get into and select the user who's password you want from the drop-down menu.
Enter a new password for that user and hit the save button. That's it! When you reboot the computer, you can use your new password to log into the computer. Note that unfortunately, you still won't be able to unlock the Keychain, so if what you're trying to access has another layer of password protection, you won't be able to access it.
Method Two: Boot into Single-User Mode
If you don't have an installer CD handy, you just need to do a bit of fancy command-line footwork to achieve the same end as the CD method. Boot up the computer, holding Command+S as you hear the startup chime. The Mac will boot into single user mode, giving you a command prompt after loading everything up. Type the following commands, hitting Enter after each one and waiting for the prompt to come up again before running the next one:/sbin/fsck -fy /sbin/mount -uw / launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist dscl . -passwd /Users/whitsongordon lifehacker
whitsongordonwith the user who's account you want to access and
lifehackerwith the new password you want to assign to that user.
If you don't know the users username, it should be pretty easy to run
ls /Usersat any time during single user mode to list all the home folders on the Mac, which usually correspond to the usernames available on the Mac. Note that, once again, this doesn't give you access to the OS X Keychain, so anything protected with another layer of password s will be off-limits.
How to Protect Your Mac from Being Broken Into
Luckily, while it's pretty easy to break into a Mac, it's also just as easy to protect yourself. Just like last time, our main recommendation is encrypting your entire OS. Note that this does not mean use OS X's built-in FileVault tool. We weren't impressed with FileVault the last time we looked at it, and it turns out it's pretty easy to get past FileVault's protection.
Instead, we recommend you use our favorite free, open-source encryption tool TrueCrypt. It came out with a Mac version back in 2008, and it still works wonderfully at encrypting entire partitions and drives on your computer. And, since anyone wanting to boot the computer needs to know your TrueCrypt password, they'll never even get to the password reset stage—so all your files will be safe.
Update: As many of you have pointed out in the comments, I misunderstood a few things about both FileVault and TrueCrypt. FileVault is not easily bypassable, and while it won't encrypt your entire drive, it should keep you safe from the above methods. TrueCrypt cannot currently encrypt an entire boot drive on a Mac.
However, you also pointed out that there's another simple way to keep people from resetting your password, and that's using a firmware password. If you have a Mac OS X installer CD, you can boot up from it and go to Utilities > Firmware Password Utility and set a firmware password. This prevents other folks from being able to boot up your computer from another hard disk, CD, or in single user mode. Someone with bad intentions could still bypass it, but it would quite a bit of alone time with your hardware. So, for best results, you'll probably want to encrypt your files with FileVault and set up a firmware password.
As always, these are just a few of the easiest ways to break into a Mac. Do you know of any others? Share them with us in the comments (don't forget to share their weaknesses, too, so we know how to protect ourselves from them).
Send an email to Whitson Gordon, the author of this post, at email@example.com.
Your version of Internet Explorer is not supported. Please upgrade to the most recent version in order to view comments.Open Firmware will stop both of those.
Now, open Firmware CAN be bypassed, in fact very easily - simply by pulling out a stick of ram and then booting into SUM.
I also believe that OFP is not worth the hassle of losing single user mode, target mode, netboot, or risking forgetting your (hopefully different) password.
What WILL help you is to use Lock with SUM. Linux/Unix users will know that lock is a standard feature on most flavors - and was even included with OS X up to 10.4. setting up lock will password protect single user mode - meaning no sudo rights, meaning no passwd command.
Of course, with enough time and effort, someone will always be able to get to your files - but if you're worried about somebody sneaking a peek at Starbucks, or on your desk without you knowing it - lock or OFP will help. It's not like people walk around with live CDs or Boot discs in their pockets (I don't think...)
In regards to firmware password: Be very careful to never forget that password... those can NOT be recovered or reset, AFAIK. It's a great way to brick your precious Mac. I believe this only applies to Intel-based machines, as the older PPC-based machines could be reset with a hardware hack. Replygemcosta approved this comment
You can also hold the T key down on any Mac whilst it is booting and it will be placed in Target Disk mode, which effectively makes the entire machine an external FireWire hard drive. You can copy data as you wish or clone the entire system from Disk Utility on another Mac. Once you have the cloned system, you can restore it onto another Mac and have at it (password reset). This will prevent the user from even knowing you were there, because if you reset the password before you clone the system, they will know as they will not be able to login with their password.
You CANNOT use password reset on an account with FileVault turned on. If you copy the sparse image of a file vaulted machine, you will need the master password to open it, there is no way around this. Replyomgwtflolbbqbye promoted this comment
Be careful, I've done this twice, and lost all my data both times. Reply
There is no need to do the hardware hack... Just hold command+option+p+r and after 3 or 4 chimed reboots, the FW password won't be there. Hopefully Intel will make something more secure using EFI at some point. Reply
"You can do this on a Mac, only faster and more efficiently."
He Hee. Reply
Dark Helmet: One.
Colonel Sandurz: One.
Dark Helmet: Two.
Colonel Sandurz: Two.
Dark Helmet: Three.
Colonel Sandurz: Three.
Dark Helmet: Four.
Colonel Sandurz: Four.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage. Reply
Just target boot it into an external firewire drive status and then take whatever you want. Reply
What I'm wondering is, why is Lifehacker teaching people how to do break into other people's Macs? It's great to educate people of the danger and how easy it would be for someone to do it, but detailing exactly how to go about doing it makes this just as helpful to someone wanting to break into a Mac as it is for someone who wants to protect themselves from it.
It's like detailing how to make the bomb while telling people how to protect themselves from an explosion. Reply
I totally posted this on the facebook link of the last breaking in post. :P
I love single user mode, amazing exploit. My school has a 63 character WPA2 wifi code and the Macs allowed me to bypass it easily (after I'm in as admin, just go to wireless settings and view passwords). Easy.
Also, if you want to find out the password itself rather than changing it, you can use the command "nidump passwd" to give you the password hash which can then be cracked with John the Ripper. Reply
Does the CD have to be the one that came with the Mac? For instance, my friend and I both have MacBooks, but he lost his CD. Would my CD work on his? Replydanielblakes promoted this comment
"it turns out it's just as easy to break into a Mac too"
I'm going to go out on a limb and say it's even easier. A decent amount of Mac owners believe that their computers are basically immune to this kind of thing, so they're less likely to take some of the precautions that Windows users might take.
That said, of course, it comes down to the individual users at hand, so it's good that you're providing ways that we can protect ourselves, Mac or PC. When you see how easy something is, it makes you that more likely to realize you might just need protection. Reply
I think you might be missing a few things.
On the Mac side of TrueCrypt...it supports encrypting entire volumes - but not the boot volume. You actually have to boot the OS and login in order to use TrueCrypt volumes. You cannot encrypt the OS itself...so it would not prevent resetting user passwords by either of the methods you described - or protect the OS from tampering. It would just potentially prevent access to the files inside a TC encrypted volume - which is admirable, but can be accomplished via many methods, including encrypted image files within OSX.
Also the article (from 2005) that you referenced on FileVault does not actually provide a way to magically bypass the master password and access FileVault folders...it allows you to reset a forgotten password. Any volumes that were already encrypted with FileVault would be inaccessible to you unless you knew the specific volume password.
One can also set a firmware password that will disable booting from anything but the harddrive, disables auto-login for single user mode and turns off firewire DMA...but unfortunately pulling a stick of the ram and powering up will bypass that otherwise fairly decent bit of security. Reply
I remember stumbling across a great article a while ago about how to extract and crack the Salted MD5 password hashes on OSX.
I haven't been able to try it yet because I haven't been able to compile John The Ripper properly, but it honestly doesn't seem that hard. Reply
Wow, great article Whitson. I knew about the DVD password reset, but never knew about the command-line. It's scarily simple. Reply
You can also use your OS X install disc to set up a firmware password. This prevents booting to anything other than the hard drive without first entering the firmware password, and also prevents single-user mode. Shy of physically removing the drive, this should be sufficient to protect your Mac, in addition to a strong user password. Replypedersencato promoted this comment
Very good article. It's also possible to prevent this by setting up firmware password protection (can't boot CD or get into single user mode).
Also, using FileVault for your home directory will protect it, even if the account password is changed.
is a neat trick in single user mode, and will bring up the Setup Assistant at the next boot, as if the Mac was brand new, and offer to formally set up a new admin account. Reply
Wow, this was enlightening. Thanks for the read! The CD reset one is ridiculously easy. Command line isn't hard either. It's really surprising how easy it is to bypass what is seen as a very secure method of keeping your files safe.
I once read about how to use TrueCrypt to load two OSes on a single harddrive, with one a hidden OS and the other a decoy. Does that work with Macs, as well? Reply
Thursday, November 4, 2010
How to Break Into a Mac (And Prevent It from Happening to You)