Photo by Masaaki Komori
Three Ways to Reset a Lost Admin Password in High Sierra
More than four years ago, Alicia Katz Pollock wrote “Five Ways to Reset a Lost Administrator Password” (17 January 2014), and through the vagaries of Google’s search algorithm, it remains our most popular article to this day. Apparently, lots of people forget their macOS passwords or need to help friends or clients who have lost their passwords.
Unfortunately, that article is long past its shelf life, so here’s a current guide to resetting an admin password in macOS 10.13 High Sierra. As before, you can accomplish this task in a variety of ways, depending on how the Mac in question was set up and what information you know.
Reset the Password from Another Admin Account
The best-case scenario is that there is another admin account on the Mac for which the password is available. If that’s true, you can log into that account and change the password for the locked account:
- Open System Preferences > Users & Groups.
- Select the locked account in the list at the left. (If necessary, click the lock at the bottom of the window and provide your admin credentials.)
- Click Reset Password.
- Enter the new password, verify it, and (optionally) include a password hint.
- Click Change Password.
The only problem with this method is if the locked-out account is logged in, you can’t modify it. The easy solution is to restart the Mac, log in with the admin account whose password you do know, and carry on from there. To forcibly log out the other user while rebooting, you have to enter an admin username and password.
If you don’t currently have an extra admin account on the Macs you take care of, it’s a good idea to create one. Just make sure it has a strong password that you’ll remember.
Reset the Password Using an Apple ID
What if there is no other admin account available? You can use the Apple ID associated with the account in question to reset the admin password, but only if these conditions are true:
- You know the Apple ID’s email address and password. If you don’t know the password, but you have access to the email address, you can reset the password at Apple’s Apple ID page.
- The “Allow user to reset password using Apple ID” checkbox in System Preferences > Users & Groups must be selected. This setting won’t appear if FileVault is enabled.
To get to the point in the login process where you can reset the password, click the question mark that appears on the right side of the password field or just try to log in three times. After the third failed login attempt, the Mac will prompt you with the password reminder, if one is set, and give you the option of resetting the password using your Apple ID.
Then enter the Apple ID email address and password and follow the onscreen instructions.
Reset the Password Using the Reset Password Assistant
If the “Allow user to reset password using Apple ID” option isn’t enabled, or the previous method doesn’t work, there’s still a way to use Apple ID credentials to reset the admin password. You’ll need to use Apple’s Reset Password assistant, which requires that you reboot into macOS Recovery and use Terminal:
- To enter macOS Recovery, restart the Mac. As it’s starting up, press and hold Command-R until you see the Apple logo, at which point you can let go.
- Once in macOS Recovery, ignore the main window and choose Utilities > Terminal, which opens a Terminal window.
- In that window, type
resetpasswordand press Return to open the Reset Password assistant.
Either way, once you’re in the Reset Password assistant, select “I Forgot My Password” and click Next.
If the account for which you wish to reset the password is a standard account, rather than an admin account, all you have to do is enter a new password.
For an admin account, you’ll instead have to enter the password for the account’s associated Apple ID. (If you don’t know it, you can click “Forgot Apple ID or password?” to move on to the Apple ID recovery process, which may require your trusted phone numbers.) Once you have entered the necessary password, you may be prompted for a two-factor authentication verification code, which will arrive on another device connected to that Apple ID. (If the Mac is your only Apple device, you should be able to receive the code from a phone call or SMS text message.) Finally, you’ll get to a screen where you can enter a new password and password hint.
What If You Use FileVault?
FileVault encrypts the Mac’s boot volume, making it readable only after the appropriate login credentials are entered, typically those of the primary admin account. The process for resetting the admin password changes a bit if FileVault is turned on because FileVault eliminates the option to reset the password with Apple ID credentials.
Fortunately, the method remains simple: enter a random password three times at the login screen, after which you’ll be prompted to reset the password using your Apple ID or recovery key.
Apple notes that you may still have trouble logging in with the new password after all this, and if so, suggests that you use the Reset Password assistant to reset the password again, using the “My password doesn’t work when logging in” option and following the subsequent instructions.
I hope your FileVault recovery key is stored in a safe place, like 1Password or LastPass! If it wasn’t saved or you can’t access it, you may want to turn off FileVault before you get into a situation where you can’t log into the Mac. In my experience, it’s easier to back up the drive, erase it, and then restore it, than it is to turn off FileVault.
Dealing with the Keychain
The keychain is an encrypted container associated with each user account that stores login credentials for apps, network servers, AirPort base stations, and Web sites accessed in Safari. It’s easy to forget about the keychain because it is typically protected by the same password used to log in to the account. As a result, resetting the password for an admin account means that you can no longer access the keychain for that account. Sorry, but there’s no way to recover that information.
After resetting the admin password and logging in again, you will likely receive an alert that macOS was unable to unlock your login keychain. Click Create New Keychain to start fresh. If you don’t receive the alert and have problems with the keychain, follow these steps to reset it:
- Open Keychain Access from
- Choose Keychain Access > Preferences and click Reset My Default Keychains, which creates a new keychain with no password.
- Log out of the account by choosing Apple > Log Out Username.
- Log back into the account to tie the account password to the new keychain.
Don’t Reset Passwords Willy-Nilly
As you can see, there are a variety of ways that you can reset a lost or forgotten admin password and regain access to a Mac, although they all depend on knowing either another admin password or an Apple ID password.
However, don’t reset an admin password unless doing so is absolutely necessary because the login keychain will be lost in the process, and that will likely cause future annoyance.
If you’re not yet in this situation, take precautionary measures now! Be sure that your Macs’ passwords and any FileVault recovery keys are stored in secure locations that you—and other trusted users—can access easily. And of course, make sure to keep regular backups, which can help you recover from a multitude of sins.
The Terminal version appears to be different—and more secure—than with previous versions of macOS. Heretofore the password assistant merely required you to select an account and you could create a new password. As well, when you logged in the the new password you could convert the old keychain if you remembered the old password. Of course, if you don’t remember the old password, as is usually the case if you are creating a new one, then you have to create a new keychain. Which might not be a bad idea if you want to delete accumulated chuff: Old passwords you don’t use any more. Then you’ll have to return to your current secure accounts and create new keychain entries for them, when prompted. High Sierra seems a bit harder to get in to.
Thanks for the article. Is there a way to reset the keychain password without losing all the stored info? I know admin user account and keychain passwords, but they are no the same (I changed admin account password several OS versions ago but that change never happened to keychain password). Is the keychain password machine specific? Asynchrony may be an artifact of the fact that I share keychain in iCloud settings, and I don’t want to mess that up.
Yes, you can use Keychain Access.app to change a keychain’s password if you know the current password; select the keychain, go to the Edit menu. You should have multiple keychains listed, ‘login’ is probably the one you want to change but there are probably others.
The keychain’s password is within the keychain file, it’s not machine specific.
Due to other computing needs, I must still use High Sierra. I’ve been trying to change my password using all the various the instructions above (system preferences and terminal reset). No matter which method I use it seems to want to contact an authentication server, which it cannot find.
Any other suggestions?
EDIT: It is the Admin account.
Hi, thank you for the article.
I can’t find my particular scenario which is that User login works at startup, Keychain login works all the time (I use secure notes a lot), but my Admin is locked (no other users, I’m the only admin) and the above password which I use for all entry isn’t working to unlock it. I had some recovery work done some time ago so assume the technician must have changed it. Can’t quite believe I can’t access my own Admin. Cannot lose all my Keychain content (hundreds of confidential notes). No other user and no other option presented (Firevault must be on). What are my steps to get around this please? I do have Apple ID and password.
PS but Allow user to reset password using Apple ID is greyed off.
High Sierra 10.13.6
OK this is getting weirder. Just noticed a blue option to change password up near my name so did it. Then tried to open lock. No luck. So changed it back (to my fave one that SHOULD be working). Then gave up. Went back to life and got a message that I changed my password so enter password to enable iCloud. Did and it worked fine. So basically everything is working except unlocking that lock! (All because I want to install an application, to make a frame, to add to FB, to thank the Firies [fire fighters] in Australia). Thank you to the Firies (and all volunteers everywhere), anyway.
If you have the keychain password, can you export the items?
I don’t seem to be able to export anything—the command is always dimmed—but that Apple support article implies it should be possible in at least some cases.
Just want to say a BIG THANK YOU for this!!!
I haven’t touched my personal MacBook Pro in several months and went to fire it up, only to freeze in abject horror. What was the password?!? I knew it had something to do with hockey team names, and I knew which two teams. But, couldn’t remember it for the life of me.
Found your instructions and they worked great. Now, if only, they worked on my Fujitsu laptop running W10 I’d be utterly ecstatic!
Join the discussion in the TidBITS Discourse forum