Five Ways to Reset a Lost Administrator Password
This article is over four years old and some details have changed.
For up-to-date help, read “Three Ways to Reset a Lost Admin Password in High Sierra” (5 July 2018).
Several years ago, I was helping a client upgrade her Mac running Mac OS X 10.5 Leopard, but she couldn’t remember her administrator password. Because she also couldn’t find the original system CDs that shipped with her iMac, I had to resort to some advanced techniques few home users would ever be able to figure out.
Starting with 10.7 Lion, you could still call on all those options, but Apple added a method so easy that even an inexperienced user can do it — the Apple ID-based password reset. Let’s explore all the options to reset a password. Which you should use depends on the specific version of Mac OS X, and how the Mac is set up.
But first, there’s an important caveat about any of these methods, related to the login keychain.
Reset Login Keychain Password — No matter which of these methods you use to reset a forgotten administrator password, it won’t update the password protecting the account’s login keychain, which stores all of the user’s passwords. Since the keychain is protected by the now-forgotten administrator password, there’s no way to get back into it. Newer versions of Mac OS X may prompt about this problem at startup; otherwise you’ll need to delete the keychain and start it over again, using these steps:
- Open Keychain Access from
/Applications/Utilities, and choose Keychain Access > Preferences (Command-,).
- In newer versions of Mac OS X, you’ll see a button labeled Reset My Default Keychain in the General pane. If you have that button, click it to remove the old keychain and create a new one with the new password.
- If that button is not present, choose Edit > Keychain List (Command-Option-L), select the login keychain, and click the minus button to delete it.
- Open Keychain Access from
- Quit Keychain Access and restart the Mac. A new login keychain will start collecting and storing the passwords for Wi-Fi networks, email accounts, Web sites, and other logins as they occur.
If you can’t work with Keychain Access because of something like Messages Agent constantly asking for the forgotten login keychain password, you’ll have to resort to the command line, with these steps:
- Reboot into Single User mode by restarting the Mac and holding Command-S while the system comes back up. Numerous lines of status messages will scroll by.
- Once you have a command-line prompt, enter this command to mount the root Mac OS X drive as writable, so you can make changes to the filesystem:
mount -uw /
- Figure out the shortname of the account you want to reset by looking through the list that results from typing this command:
- Now enter this command to delete that account’s login keychain, replacing shortname appropriately:
- Restart the Mac by typing:
When the Mac comes back up, Mac OS X should create a new login keychain.
Now let’s move on to resetting the password!
1: Use the Command Line — In early versions of Mac OS X, the command line was the best way to reset a forgotten administrator password. Even now, command-line password reset remains available, making it the most universal approach that will work in any situation. If you’re not turned off by typing highly specific commands, follow these steps:
- Make a note of the user account shortname by opening the Home folder (in the Finder, choose Go > Home) and checking the folder name at the top of the window. If you can’t get into the account at all, you can determine the shortname later on.
- Reboot into Single User mode by restarting the Mac and holding Command-S while the system comes back up. A lot of arcane status messages scroll by, and leave you with a command-line prompt.
- Mount the root Mac OS X drive as writable, so you can make changes to the filesystem, with this command:
mount -uw /
- For those running 10.7 Lion, 10.8 Mountain Lion, or 10.9 Mavericks, enter this command at the prompt to load Open Directory (which manages user accounts) manually, since it was deprecated in Lion:
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plistSkip this step if you’re running 10.6 Snow Leopard or earlier.
- If you don’t know the shortname of the account you want to reset, look through the list that results from typing this command:
- Next, enter the following command, replacing “shortname” with the desired account’s shortname:
dscl . -passwd /Users/shortnameIf you get this error message, you may ignore it:
launchctl: Couldn’t stat
No such file or directory nothing found to load
- Type in the new password.
- Restart the Mac by typing:
2: Use One Account to Reset Another — Since 10.4 Tiger, if a Mac had multiple administrator accounts, you could log into one account to reset the password in another. This remains possible, and is one of the reasons that many people who are responsible for the Macs of less-experienced users will often create a separate administrator-level account for troubleshooting. Here are the steps you need to follow to use this approach, assuming you have the necessary access:
- While logged in an administrator account in which you know the password, open the Users & Groups pane of System Preferences (it was called Accounts before 10.7 Lion).
- Select the name of the user whose password you want to change, and click the Reset Password button. (You may need to click the lock icon in the lower left of the window and enter an administrator password to be able to make changes.)
- Enter the new password, the same password again for verification, and a hint in case it’s forgotten again.
3: Use the Installer CD or DVD — Up through 10.6 Snow Leopard, if the Mac had only the original administrator account, and resetting the password via the command line was too scary, you could use the original Mac OS X Install disc instead. (Actual snow leopards may be endangered, but installer discs went extinct with 10.7 Lion, so this method is only for older Macs.) Here’s how:
- With the Mac turned off, power it up, insert the disc immediately, and hold down the C key to make the Mac boot from the disc’s version of Mac OS X.
- From the Utilities menu at the top of the screen (or the Installer menu in 10.3 Panther), choose Reset Password.
- Select the hard disk volume, and the name of the original administrator account. (Stay away from the Root account.)
- Enter the new password, and then click Save.
- Quit the Mac OS X Installer, and restart the Mac normally.
Apple provides a support document with more details, along with instructions for Mac OS X 10.1 through 10.3, should you run into such an ancient setup.
4: Use the Recovery Partition — Starting with 10.7 Lion, which was sold only through the Mac App Store, the installer disc was replaced by the Recovery partition, a small chunk of the boot disk that contains a stripped-down version of Mac OS X and essential utilities. To reset the administrator password when running Lion or later:
- Restart the Mac while holding down the Option key, and double-click the icon for the Recovery partition. A Mac OS X Utilities screen appears.
- Choose Utilities > Terminal.
- In Terminal, type
resetpassword. Rather unusually for a task performed from the command line, a graphical Reset Password window appears.
- Select the startup volume at the top of the window, and then choose a user account from the pop-up menu. In the fields below, enter the new password, confirm it, and add an appropriate hint.
- Click Save, and then choose Restart from the Apple menu.
5: Use Your Apple ID — Starting with 10.7 Lion, it also became possible to use your Apple ID to reset your administrator password. It’s turned on by default in the Users & Groups pane of System Preferences, but double-check to make sure.
When this feature is active, if you enter the administrator password incorrectly at the login window three times, a popover appears with the password hint and a message saying “If you forgot your password, you can reset it using your Apple ID.” Here’s how to do that:
- Click the arrow icon to open the Reset Password dialog.
- Enter your Apple ID and its password, then click Reset Password to proceed.
- Enter a new administrator password, verify it, and fill in the Hint field so that you’ll get a memory trigger the next time you forget.
- Click Reset Password, and you’re done.
If you’ve also forgotten your Apple ID password, you can reset that at Apple’s My Apple ID page. Doing so relies on having access to the email address associated with your Apple ID; if that email account could be compromised, allowing the administrator password to be reset by the Apple ID might provide a way that the physical security of your Mac could be attacked. If you’re really worried, turn the feature off in the Users & Groups preference pane.
One quirk. If you upgraded from 10.6 Snow Leopard to 10.7 Lion, you may not get the reset message after three incorrect attempts. To fix this problem while you can still access the account, open the Users & Groups preference pane, delete the affected Apple ID, and then add the same Apple ID back.
It’s also important to know that encrypting your Mac’s boot disk with FileVault 2 prevents you from using your Apple ID to reset your password (since the password is used in FileVault’s encryption). Read this Apple support document for more information about FileVault.
No Excuse for a Lost Password — Regardless of how or why an administrator password has been lost or forgotten, there are a variety of techniques that you can use to reset it and regain full access to a Mac. These techniques aren’t to be used willy-nilly, since the login keychain will be lost in the process, but whether the simple method of using an Apple ID is sufficient or you need to drop down to the command line, you should be able to get the access you need.
And of course, there's always the venerable:
mount -uw /
in single-user mode
Interesting - I hadn't run across that one before. It looks like it creates a new user account as well, though, so it would be good mostly in a situation where you didn't care about the files in the account whose password has been lost.
I've always used it for pre-Lion systems where the client had forgotten their login password. Create a new, temp admin account. Use it to remove the other account's password. Remove the temp account. I've never used the Directory Service command line utility because it's fairly more complicated.
I think that's a pretty cool workaround myself!
Thanks Carlos. This workaround is great. Just what I needed.
None of the above worked for me
Trying to remove a user password from a friends computer for her sons after she died.
Got is /Users
is: is not a valid command
Last tried Carlos idea got Specified device does not match mounted device.
She had an apple computer dual booted with windows and I removed the windows password but unable to get past the startup screen asking for her apple password
GOT IT I used this link found another way
Looks like you're retyping commands and introducing typos (is instead of ls). I recommend you use copy and paste instead.